Top Exploited Vulnerabilities in October 2025

The risk landscape is continuously evolving, requiring companies to regularly identify Common Vulnerabilities and Exposures (CVEs) and adapt their IT security strategies to stay ahead of emerging threats. A striking example of the evolution of risk is how the Ransomware as a Service (RaaS) group Qilin has ramped up their attacks this year. According to threat intelligence experts at Cisco Talos, in the second half of 2025, Qilin published information stolen during ransomware attacks at a rate of more than 40 cases a month, many targeting the manufacturing industry, making it the top ransomware group identified in October 2025.

To help your company strengthen its security posture, we are giving an overview of the top CVEs identified in October 2025, including information on how the vulnerabilities were exploited and how to defend against them.

The threat Qilin presents correlates with the vulnerabilities we identified in October 2025, including patch management exploitation and remote code execution (RCE). Considering these findings, companies need to understand their hybrid environment and how to secure their public-facing IoT environments and IPs. IBM Vault provides the identity access management (IAM) features needed to defend against these common vulnerabilities.

Who was Impacted by CVEs in October 2025? 

While cyberattacks are mostly targeting vulnerabilities in education and healthcare organizations, other industries are being attacked as well.

Healthcare:

• Ransomware incidents and data theft
• Legacy systems, medical devices, and remote/telehealth infrastructure created larger attack surfaces
• Vulnerabilities seen are remote code execution (RCE) in enterprise apps, unpatched endpoints, and deserialization flaws

Manufacturing/Supply Chain/Enterprise Infrastructure:

• Exploits of ERP/business operations application (Oracle E-Business Suite) hit supply-chain and manufacturing operations
• Network-edge devices and management consoles were targeted (VPNs, OT convergence, etc)
• Pre-authorization RCE in business apps
• Privilege escalation in virtualization/management platforms, misconfigurations in OT/IT convergence are major vulnerabilities

Professional Services/Legal/Financial Services:

• Ransomware victims show high counts in professional services
• Firms are targeted for business-intelligence theft, extortion, access to privileged data
• Major vulnerabilities are identity/access management flaws, management-interface compromises, and third-party supply chain

Education:

• Educational institutions are disproportionately impacted because of open networks, legacy systems, and limited security budgets
• High-profile exploitation of enterprise apps used in education [ERP systems, Managed File Transfers (MFTs)] was seen
• Major vulnerabilities are external-facing business applications, file-transfer tools, and remote unmanaged access points

Critical Infrastructure/Network-Edge Devices:

• Network infrastructure and edge-device vulnerabilities (VPN, firewalls, network appliances) continued to be exploited
• OT/IoT systems remain at risk due to slower patching and longer device lifecycles
• Major vulnerabilities are network appliance RCE, unauthenticated exploits on edge devices, firmware flaws, and privilege escalation in virtualization

Top Ransomware Group Identified in October 2025

Who: Qilin, formerly known as Agenda. Established in June 2022. Allegedly from Russia.

Strategy: Ransomware as a Service (RaaS)

Tactics:

Top Exploited CVEs in October 2025 

As of October 2025, several Common Vulnerabilities and Exposures (CVEs) have been identified as actively exploited. These vulnerabilities affect both software and critical infrastructure components. Below is a summary of the most significant CVEs and their impacts:

Microsoft Windows Server Update Services (WSUS) unauthenticated RCE  

Affected:

• Windows Server Update Services on Windows Server 2012–2022

Severity:

• Critical

Exploitation:

• Actively exploited in the wild
• Attackers use crafted SOAP/deserialization payloads for unauthenticated RCE as SYSTEM

Third-party impacts:

• Compromise of WSUS can spread malware or malicious updates to every domain-joined endpoint or partner environment syncing from it

Why it matters:

• WSUS is a trusted patch distribution service, so if it’s compromised, it becomes a supply-chain weapon inside your own network

Patch method:

• Apply Microsoft’s out-of-band patch (ex: KB5070882 from Oct 23, 2025)
• Remove WSUS from internet exposure and enforce TLS 1.2 only

MOTEX Lanscope Endpoint Manager RCE  

Affected:

• Lanscope Endpoint Manager (On-Prem) v9.4.7.1 and earlier

Severity:

• Critical

Exploitation:

• Zero-day actively abused via unauthenticated packet injection allowing remote code execution

Third-party impacts:

• Organizations that rely on managed service providers or cross-tenant agents risk cross-contamination
• Common in Japanese APAC enterprise environments

Why it matters:

• Endpoint management tools have deep privileges and broad reach so a compromise equals domain-wide control

Patch method:

• Upgrade to the patched release (≥ v9.4.8 series)
• Isolate servers until patched
• Restrict external access to the management console

 VMware Aria Operations/VMware Tools Privilege Escalation 

Affected:

• VMware Aria Operations
• VMware Tools

Severity:

• High

Exploitation:

• Actively exploited zero-day by state-linked actors to escalate privileges from guest VM to host

Third-party impacts:

• Cloud providers and managed-service partners hosting multi-tenant VMware stacks risk lateral movement between tenants

Why it matters:

• Virtualization is the backbone of enterprise infrastructure, so a hypervisor Local Privileged Escalation (LPE) means total control over many workloads

Patch method:

• Update VMware Tools and Aria Operations to current versions
• Verify hypervisor segmentation and disable unneeded guest integrations

7-Zip Archive Parsing RCE 

Affected:

• 7-Zip utility (all builds before v25.00)

Severity:

• High

Exploitation:

• Malicious ZIP files trigger directory-traversal and code-execution on extraction
• Used in phishing campaigns

Third-party impacts:

• Employees and vendors exchanging compressed data risk infection even outside managed IT
• Often bypasses corporate email filters

Why it matters:

• 7-Zip is ubiquitous and rarely patched
• Easy social-engineering vector for initial access

Patch method:

• Update to 7-Zip v25.00 or newer
• Disable auto-extraction and enforce content filtering for archives

How ProActive Solutions Can Help Clients Mitigate October 2025 CVEs

ProActive Solutions offers a comprehensive approach to managing and mitigating the risks associated with critical CVEs identified in October 2025. By leveraging advanced security tools, proactive monitoring, and timely patch management, ProActive Solutions can help organizations stay ahead of cyber threats and ensure the security of their systems.

Key Mitigation Strategies

Microsoft WSUS) and MOTEX Lanscope

Impact:

• Unauthenticated RCEs targeting systems that manage patching or endpoints
• Both leveraged to gain domain-wide control and persistence

Mitigation:

• Patch immediately as both vendors issued critical out-of-band updates
• Remove public access to management interfaces
• Rotate admin credentials and API keys tied to these systems
• Monitor for unexpected package distribution or agent behavior

Fortra GoAnywhere MFT

Impact:

• Ransomware operators exploit deserialization flaws to steal or encrypt sensitive partner data

Mitigation:

• Upgrade to the latest GoAnywhere build
• Remove from direct internet exposure by requiring VPN access
• Review logs for unusual Secure File Transfer Protocol (SFTP) jobs or large outbound transfers
• Re-validate partner file-exchange connections and keys

VMware Aria Operations/Tools

Impact:

• Privilege escalation within VMs enabling lateral movement across hosts seen in state-linked campaigns

Mitigation:

• Update VMware Tools and Aria Ops to patched versions
• Verify segmentation between tenants and workloads
• Disable unnecessary guest integrations and API exposure
  
  

7-Zip

Impact:

• Weaponized archives used in phishing and initial-access campaigns.

Mitigation:

• Update to 7-Zip v25.00+
• Disable auto-extraction
• Enforce archive-scanning in email gateway
• Conduct phishing refreshers emphasizing malicious ZIP payloads

How Proactive Can Help

Exposure Assessment: Identify vulnerable versions of WSUS, VMware, GoAnywhere, and Lanscope across enterprise or retail environments.

Prioritized Remediation Plans: Rank vulnerabilities by exploitability, business impact, and patch urgency, aligning with client operational risk.

Threat Intelligence Integration: Correlate CVEs with active ransomware Tactics, Techniques, and Procedures (TTPs) (notably Qilin) to inform detection engineering and board-level reporting.

Continuous Monitoring: Deploy sensor or SIEM-based alerting for exploitation indicators tied to these CVEs.

Governance Support: Update patch-management policies, vendor risk questionnaires, and supply-chain assurance processes post-F5 breach lessons.

Example Scenarios: ProActive Solutions in Action

By partnering with a service provider like ProActive Solutions that has expertise in cybersecurity, your company can eliminate vulnerabilities to prevent being successfully targeted by exploits, including those carried out by Qilin.

Here are 4 example scenarios showing how ProActive Solutions would help organizations mitigate the critical CVEs identified in October 2025:

Scenario 1: Exploited Patch Management System

Situation:

A regional retailer’s WSUS server was compromised after being left internet-exposed, allowing attackers to push rogue updates.

 Proactive Solutions Approach:

Prevention:

• Audit all patch management systems for internet exposure and authentication weaknesses
• Apply network segmentation and limit WSUS syncs to trusted endpoints only
• Harden configurations with Secure Sockets Layer/Transport Layer Security (SSL/TLS) and authenticated update distribution

Detection:

• Monitor update logs for unsigned or out-of-sequence package distributions
• Use endpoint telemetry to flag mismatched patch signatures or registry tampering

Response:

• Isolate affected WSUS servers and block downstream propagation
• Validate all client endpoints for unauthorized updates and roll back where necessary

Post-Incident:

• Rebuild WSUS from verified media and implement a hardened patch governance policy
• Conduct a lessons-learned session to improve update validation and change control

Scenario 2: File Transfer Breach – GoAnywhere MFT

Situation:
A manufacturing client discovered unauthorized data transfers after attackers exploited the GoAnywhere deserialization flaw.

Proactive Solutions Approach:
Prevention:

• Disable public admin interfaces
• Enforce token-based authentication for MFT access
• Apply vendor security patches and validate SSL configurations regularly

Detection:

• Correlate file transfer logs with Security Information and Event Management (SIEM) to identify unusual outbound patterns
• Monitor for privilege escalations or account creation within MFT instances

Response:

• Immediately suspend external transfers and revoke API tokens
• Execute a forensic review of transfer logs and notify affected third parties

Post-Incident:

• Re-architect workflows with secure, segmented transfer channels
• Add continuous integrity monitoring and data exfiltration alerting

Scenario 3: Virtualization Exploitation – VMware Tools/Aria Ops

Situation:

A logistics provider observed privilege escalation activity within guest VMs tied to the latest VMware zero-day.

Proactive Solutions Approach:

Prevention:

• Enforce version control for VMware Tools and apply emergency updates immediately
• Isolate management interfaces (vCenter, ESXi) on dedicated VLANs

Detection:

• Monitor for unusual guest-to-host API calls or privilege elevation attempts
• Use behavioral analytics to detect unauthorized VM snapshot or export activity

Response:

• Suspend affected VMs, capture volatile memory, and block lateral access paths
• Patch all hosts and revalidate hypervisor integrity

Post-Incident:

• Review access controls and Role Based Access Control (RBAC) assignments across virtual environments
• Conduct post-mortem workshops to harden segmentation and operational response

Scenario 4: User-Level Exploitation – 7-Zip

Situation:

An accounting employee opened a malicious ZIP that executed code and established persistence.

Proactive Solutions Approach:

Prevention:

• Enforce automatic updates for end-user utilities such as 7-Zip and WinRAR
• Restrict execution privileges for unknown archive files and enforce macro-blocking policies

Detection:

• Implement endpoint protection that scans embedded archives before extraction
• Flag ZIPs containing scripts, Dynamic Link Libraries (DLLs), or executable payloads

Response:

• Quarantine affected systems and remove persistence mechanisms
• Deploy enterprise-wide patching and reset potentially compromised credentials

Post-Incident:

• Deliver user awareness training on archive-based phishing campaigns
• Integrate Content Disarm and Reconstruction (CDR) tools into email gateways

These scenarios show that ProActive understands how to help your company defend against today’s most challenging security threats, including ransomware attacks from the Qilin group.

Develop cybersecurity strategies for preventing your company’s vulnerabilities from being targeted by exploits. Ask for a consultation from ProActive Solutions.