(TLP CLEAR) Weekly Vulnerabilities to Prioritize – October 2, 2025

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

CISCO Vulnerabilities – Continued
Description: Cisco has continued to patch vulnerabilities in Cisco IOS and IOS XE. CISA sent out an Emergency Directive highlighting ongoing threat actor activity targeting Cisco devices. WaterISAC encourages members to be extra mindful of the vulnerability management of their Cisco devices at this time and to follow CISA’s guidance and review Cisco’s Event Response page linked below.  
Source: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Additional Reading:

• Nearly 50,000 Cisco firewalls vulnerable to actively exploited flaws

Google Chromium V8 Type Confusion Vulnerability
CVSS Score: 7.8
CVE: CVE-2025-41244
Description: WaterISAC sent an vulnerability notification to members on September 30 regarding VMware vulnerabilities. Specifically, VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.
Source: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149
Additional Reading:

• Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024

Fortra GoAnywhere MFT Vulnerability
CVSS: 10.0
CVE: CVE-2025-10035
Description: A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. CISA has added this vulnerability to its KEV catalog.
Source: https://www.fortra.com/security/advisories/product-security/fi-2025-012
Additional Reading:

• Recent Fortra GoAnywhere MFT Vulnerability Exploited as Zero-Day

Adminer Server-Side Request Forgery Vulnerability
CVSS: 7.2
CVE: CVE-2021-21311
Description: Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9. CISA has added this vulnerability to its KEV catalog.
Source: https://www.cve.org/CVERecord?id=CVE-2021-21311

Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
CVSS: 9.3
CVE: CVE-2025-10035
Description: Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the –chroot option. CISA has added this vulnerability to its KEV catalog.
Source: https://www.sudo.ws/security/advisories/
Additional Reading:

• CISA warns of critical Linux Sudo flaw exploited in attacks