Welcome to vFeed September 2025 edition of Cybersecurity Vulnerability Newsletter.
TL;DR
September 2025 was a highly active month for cybersecurity, with 3,738 vulnerabilities published and 820 from August revised. vFeed tracked 27,597 vulnerabilities and 2.38M vendor patch advisories, utilizing NVD 2.0, CVSS4, and EPSS4 for risk scoring, identifying 48 critical vulnerabilities with 13 highly exploitable. Key concerns included a critical Google Chrome V8 zero-day (CVE-2025-10585) and Microsoft’s 81 patched vulnerabilities (including 2 zero-days) across SharePoint, SMB Server, and HPC. Overall, nearly 87K exploits were tracked, with major contributions from GitHub, Exploit-DB, Metasploit, and Talos.
vFeed September Vulnerability Trends
September continued to overwhelm vulnerability analysts and incident responders with critical and impactful published vulnerabilities with increased severities, and widespread exploits. The month saw a significant spike accounting to about 3,738 published vulnerabilities, one of the largest in the month seen recently, though comparatively lower than 3,360 in August, and 3,600 in July. In addition, September presented the most active month in the vulnerability landscape with a large portion of CVEs updated with newer risk score updates and advisories. vFeed correlated and archived 27,597 published vulnerabilities in the year 2025 so far, well on track to be one of the highest ranges in recent years. The number of modified vulnerabilities accounted for about 5,010 in September alone, compared to 4,350 CVEs with modified risks, priorities, advisories during the month of August, and 5,174 during July. A record 820 vulnerabilities published in August 2025 were revised in September. In the last year, only about 2,645 modified CVEs had their risk scores, advisories, and priorities revised in September 2024, making the current month one of the most active seasons.
vFeed vendor patch advisories exceeded even greater counts to about 2.38M, led by sources including Ubuntu, Debian, Suse, Oracle, and Windows in 2025, accounting for nearly 74% of patched advisories issued during the month. vFeed has consolidated and kept track of nearly 788K affected just in the last 5 years, one of the significant counts.
vFeed vulnerability data feeds have continued to embrace NVD 2.0 schema for correlating and maintaining our threat intel feeds. Our feed database continues to build upon CVSS4 and EPSS4 risk scoring metrics as part of our threat intel feed, and so far we captured 8,141 risk scores in 2025 alone, the largest we have seen so far in any year. Of those, September alone accounted for about 833 CVSS4 scores aggregated. Specifically, about 48 of those are determined to be critical vulnerabilities of which 13 also have a higher exploitability percentiles greater than 50%. A higher EPSS percentile score indicates the likelihood of being exploited in the wild soon in the coming months compared to other similar vulnerabilities in the platform.
Vulnerability Landscape
The impact of vulnerability landscape in September is also observed to be severe. vFeed has kept track of nearly 87K exploits so far, with github, exploitsdb, metasploit, talos accounting for a large portion of identified counts.
The number of critical vulnerabilities identified by vFeed in September – those with a critical score of 9.0 or higher continued to rise significantly to 454 compared to 484 in August and 535 in July, 187 in March and 129 in February. Among those critical vulnerabilities, about 45 of them (~ 10%) had a high likelihood of exploitations in the next few months with a probability of more than 50%.
Among those 18 of the critical ones (~ 4%) had a perfect 10.0 score observed across several hardware and software components. Particularly, certain models of NVR developed by Digiever exposing sensitive system information to intruders owing to unauthenticated access to the system configuration files. Attacks on HTTP header seemed to account for two such vulnerabilities including Tenda AC1206 15.03.06.23, and in Mercury KM08-708H GiGA WiFi Wave2 1.1.14 both affected by incorrect or obfuscated HTTP Request Handlers. Two critical vulnerabilities with high degree of exploitability were observed in XWiki Remote rendering macros to migrate content that allows remote code execution for users editing pages. On the cloud side, a particularly critical flaw was identified by Microsoft in Azure Networking that allows attackers to escalate privileges and control routing across subnets.
Platform Impacts
Many of the critical exploitable vulnerabilities were also triggered by WordPress plugins and AdobeColdFusion that leveraged SQL injection, unrestricted file uploads using PHP, and remote code execution (RCE) vulnerabilities.
A particularly intriguing vulnerability (CVE-2025-59528) was identified in FlowiseAI version 3.0.5 UI with a critical remote code execution vulnerability carrying a perfect 10 critical CVSS risk, and 64% likelihood of exploitation. This was observed in CustomMCP UI node where user-controlled configuration input directly executes as JavaScript without validation, allowing attackers to run arbitrary code with full Node.js privileges on the server.
A critical CVE-2025-10585 zero-day in Google Chrome V8 was reported by Google’s Threat Analysis Group confirmed active exploitation in the wild, which makes this a high-urgency update for everyone using Chrome, and needs to be patched at the earliest. This has known exploits availability with a high degree of exploitability (88%) in the near future. The vulnerability is caused by type confusion in the Javascript engine that incorrectly treats one object kind as another, leading to exploit heap corruption via crafted HTML pages.
WordPress plugins accounted for nearly 250 of vulnerabilities published in September alone, of which 17 (~ 7%) are deemed critical. These include Email plugin, WPCasa plugin, Doccure theme, Ninja Forms, WooCommerce Inventory Management plugin, AdForest theme, and Goza Charity WordPress Themes accounting for majority. These vulnerabilities are caused by remote code execution, arbitrary file upload, code injection attacks, and authentication bypass. A particular CVE-2025-8570 published vulnerability in WordPress BeyondCart Connector plugin is susceptible to privilege escalation due to improper JWT secret management and authorization making it possible for unauthenticated attackers to craft valid tokens and assume the role of user. This has a critical 9.8 score with only 10% exploitation percentile, however, known exploits are available, making it particularly important to patch at the earliest.
Microsoft accounted for about 44 published known vulnerabilities in the month. Of which, 3 had high exploitability. A high severity CVE-2025-54897 Deserialization of untrusted data in Microsoft Office SharePoint with a 69% EPSS percentile, CVE-2025-55234 critical severity Server Message Block (SMB) Server susceptible to privilege escalation attacks with 63% EPSS percentile, and critical severity CVE-2025-55232 Microsoft High Performance Compute Pack (HPC) allowing an unauthorized attacker to execute code over network with 57% EPSS percentile. All of these vulnerabilities have known exploits making them highly critical to patch at the earliest. CVE-2025-55234 is identified to be a zero-day in which SMB Server is susceptible to exploitation using relay attacks and makes the users subject to elevation of privilege attacks on affected systems, per Microsoft.
Microsoft’s September 2025 Patch Tuesday addressed 81 vulnerabilities with 9 classified as critical ones. Those reported were primarily impacting remote code execution, privilege escalation, and information disclosure across Windows, Office, SQL Server, SMB/NTLM, Azure services, and other products. Reported vulnerabilities involved 2 zero-days, 41 Elevation of Privilege accounted for nearly or about 50% of the overall reported, 22 Remote Code Execution (RCE) reported or 27%, and 16 Information Disclosure about or about 18%.
Top Weaknesses
vFeed identified several top weaknesses (CWE) that contributed to critical vulnerabilities during the month. Of the 454 critical vulnerabilities found in September alone, 166 (~ 36%) were CWE-74 Improper Neutralization injection weakness types, followed by 44 (~ 10%) CWE-119 Improper Restriction of Operations or buffer overflow, and 21 (~ 5%) CWE-89 SQL Injection weakness types. The trends appear to be similar contrasted with the August month that accounted for 28% of CWE-74 Improper Neutralization/Injection weakness, followed by 15% of CWE-119 buffer overflow published weaknesses advisories during the month.
Critical Exploitable Vulnerabilities – September 2025
Pay attention to these top critical vulnerabilities that are likely exploitable this month.
| CVE | Description | CVSS 3 Base | EPSS Percentile | Exploit PoC Available? | Date Published | Weakness | Versions Affected | References |
| CVE-2025-54914 | Azure Networking Elevation of Privilege Vulnerability | 10.0 | 12.6% | Yes | 2025-09-04 | CWE-284 | N/A | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54914 |
| CVE-2025-8570 | BeyondCart Connector WordPress plugin vulnerable to privilege escalation due to improper JWT secret management | 9.8 | 10.1% | Yes | 2025-09-11 | CWE-798 | 1.4.2 to 2.1.0. | https://www.wordfence.com/threat-intel/vulnerabilities/id/d0dd4fc0-1c6a-4556-b219-893563a27a69 |
| CVE-2025-59528 | FlowiseAI UI flow CustomMCP node allows users to input configuration settings for connecting to an external MCP server, allowing user configuration input to directly execute as JavaScript without validation | 10.0 | 64.6% | No | 2025-09-22 | CWE-94 | 3.0.5 | https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p |
| CVE-2025-55728 | XWiki Remote Macros provides rendering macros for migrating content from Confluence, where missing escaping of the classes parameter in macro allows RCE for users that edit pages | 9.8 | 92.4% | No | 2025-09-09 | CWE-94 | > 1.0 < 1.26.5 | https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-48f4-h726-74p5 |
| CVE-2025-10585 | Google Chrome Type confusion in V8 allowed RCE to potentially exploit heap corruption via a crafted HTML page | 9.8 | 88.2% | Yes | 2025-09-24 | CWE-843 | < 140.0.7339.185 | https://github.com/AdityaBhatt3010/CVE-2025-10585-The-Chrome-V8-Zero-Day |
| CVE-2025-10035 | Forta GoAnywhere MFT License Servlet allows a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. | 10.0 | 98.2% | Yes | 2025-09-18 | CWE-502 | 7.7.0 (incl), 7.8.4 (excl) | https://www.fortra.com/security/advisories/product-security/fi-2025-012 |
| CVE-2025-53690 | Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection | 9.0 | 94.9% | Yes | 2025-09-03 | CWE-502 | <= 9.0 | https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 |
| CVE-2025-55234 | SMB Server susceptible to exploitation using relay attacks and make the users subject to elevation of privilege attacks | 9.8 | 63.5% | Yes | 2025-09-09 | CWE-287 | Win 10, 11, 12 R2, 16, 22, 25 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55234 |
May you live in interesting times! 🙂
Click here to schedule your demo with vFeed Threat Intel today!