Recorded Future Insikt Group August 2025 Report: 18 High-Impact Vulnerabilities Prioritized for Patching
– 3 min read
Recorded Future’s Insikt Group identified 18 high-impact vulnerabilities in August 2025 that organizations should prioritize for remediation, marking a decrease from the 22 vulnerabilities highlighted in July. Despite the overall reduction, the number of Very Critical vulnerabilities remained steady at 16 compared to the previous month. These flaws impacted vendors including Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August’s findings were dominated by Citrix and D-Link vulnerabilities, accounting for six of the 18 total. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Key CVE Findings from Insikt Group
The most commonly exploited weakness was CWE-78 (OS Command Injection), followed by CWE-502 (Deserialization of Untrusted Data) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel). One vulnerability tied into a malware campaign: the Russia-linked threat group RomCom exploited CVE-2025-8088 to deliver a SnipBot backdoor variant, a RustyClaw downloader, and a Mythic C2 agent.
Six of the 18 vulnerabilities—CVE-2025-8088, CVE-2025-7775, CVE-2025-57819, CVE-2024-8069, CVE-2013-3893, and CVE-2007-0671—enabled remote code execution (RCE). These affected WinRAR, Citrix, FreePBX, and Microsoft products.
Insikt Group analyzed 1,037 vulnerabilities disclosed in August with Risk Scores of 65 or above (High to Very Critical), based on Recorded Future data. The 18 vulnerabilities listed below were actively exploited during the month, with some featuring public proof-of-concept (PoC) code identified by Insikt Group. These PoCs were not tested for accuracy or efficacy, and vulnerability management teams should verify them cautiously before use.
| CVE ID | Vendor/Product | Description | Risk Score | Public PoC Available |
|---|---|---|---|---|
| CVE-2025-7775 | Citrix NetScaler | Memory overflow leading to RCE/DoS | Very Critical | No |
| CVE-2025-8088 | WinRAR | Path traversal for RCE | Very Critical | Yes |
| CVE-2025-8875 | N-able N-central | Insecure deserialization | Very Critical | No |
| CVE-2025-8876 | N-able N-central | Command injection | Very Critical | No |
| CVE-2025-20265 | Cisco Secure FMC | RCE via RADIUS authentication | Very Critical | Yes |
| CVE-2025-25256 | Fortinet FortiSIEM | Pre-auth command injection | Very Critical | Yes |
| (Additional 12 CVEs not detailed in source) | Various | Various high-impact flaws | Critical/Very Critical | Varies |
Persistent Threats and Exploits
The report highlights OS Command Injection (CWE-78) as the most exploited weakness, followed by Deserialization of Untrusted Data (CWE-502) and Authentication Bypass (CWE-288). Notably, the Russia-linked RomCom group exploited CVE-2025-8088 in WinRAR to deploy malicious payloads, including a SnipBot backdoor and Mythic C2 agent, via phishing campaigns. Six vulnerabilities, including those in Citrix and Microsoft products, enabled remote code execution (RCE), amplifying risks of network compromise.
Spotlight on Citrix NetScaler Flaw
A critical memory overflow vulnerability, CVE-2025-7775, in Citrix NetScaler ADC and Gateway appliances allowed unauthenticated RCE and denial-of-service attacks. Exploited in the wild, attackers used it to deploy persistent web shells, risking data theft and network breaches. CISA mandated federal agencies to patch by August 28, 2025, with Shadowserver noting 8,926 vulnerable instances, primarily in North America and Europe. Citrix issued patches for affected builds, urging immediate upgrades.
WinRAR and Fortinet Under Fire
CVE-2025-8088, a WinRAR path traversal flaw, enabled attackers to drop malicious files into autorun directories, triggering RCE. A public proof-of-concept (PoC) surfaced on GitHub, emphasizing the need to upgrade to WinRAR 7.13. Similarly, Fortinet’s FortiSIEM faced a critical pre-authentication command injection (CVE-2025-25256), exploitable via crafted XML payloads. Fortinet released patches, and a workaround involves restricting access to port 7900.
Cisco and N-able Vulnerabilities
Cisco’s Secure Firewall Management Center (CVE-2025-20265) and N-able’s N-central (CVE-2025-8875, CVE-2025-8876) also faced critical RCE risks. Cisco’s flaw, tied to RADIUS authentication, and N-able’s deserialization and command injection issues prompted CISA to add them to its Known Exploited Vulnerabilities catalog. PoCs for Cisco and detection tools for N-able were shared, aiding vulnerability management.
Call to Action
With 1,037 high-risk vulnerabilities disclosed in August, Insikt Group stresses the urgency of patching to counter active exploits. Organizations should prioritize updates for affected systems and leverage detection tools like Insikt’s Nuclei templates to identify vulnerabilities. Staying ahead of these threats is critical to safeguarding networks in today’s volatile cyber landscape.
Source: Recorded Future
Author
The Editorial Team at Security Land is comprised of experienced professionals dedicated to delivering insightful analysis, breaking news, and expert perspectives on the ever-evolving threat landscape
Comments
