(TLP CLEAR) Weekly Vulnerabilities to Prioritize – October 23, 2025

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability
CVSS v4.0: 9.3
CVE: CVE-2025-61932
Description: Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets. CISA has added this vulnerability to its KEV catalog.
Source: https://www.motex.co.jp/news/notice/2025/release251020/
Additional Reading:

• Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms

Adobe Commerce Magento Vulnerability
CVSS v3.1: 9.1
CVEs: CVE-2025-54236
Description: Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
Source: https://helpx.adobe.com/security/products/magento/apsb25-88.html
Additional Reading:

• Critical Adobe Commerce, Magento vulnerability under attack (CVE-2025-54236)

TP-Link VPN Router Vulnerabilities
CVSS 4.0: 9.3, and 8.7
CVEs: CVE-2025-7850, and CVE-2025-7851
Description: CVE-2025-7850 is a command injection vulnerability that can be exploited after the admin’s authentication on the web portal on Omada gateways. In CVE-2025-7851 an attacker may obtain the root shell on the underlying OS system with the restricted conditions on Omada gateways.
Source: https://www.infosecurity-magazine.com/news/vulnerabilities-tplink-vpn-routers/

Microsoft Windows SMB Client Improper Access Control Vulnerability 
CVSS v3.1: 8.8
CVE: CVE-2025-61884
Description: Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.CISA has added this vulnerability to its KEV catalog.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073

Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVSS v3.1: 7.5
CVE: CVE-2025-59230
Description: Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CISA has added this vulnerability to its KEV catalog.
Source: https://www.oracle.com/security-alerts/alert-cve-2025-61884.html