(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – September 25, 2025
Created: Thursday, September 25, 2025 - 15:06
Categories: Cybersecurity, Security Preparedness
The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
CISCO Vulnerabilities
Description: CISCO has patched several high-severity vulnerabilities in Cisco IOS and IOS XE and CISA sent out an Emergency Directive highlighting ongoing threat actor activity targeting Cisco devices. See WaterISAC’s analysis of the situation.
Source: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Additional Reading:
- CISA Directs Federal Agencies to Identify and Mitigate Potential Compromise of Cisco Devices
- Cisco fixed actively exploited zero-day in Cisco IOS and IOS XE software
Google Chromium V8 Type Confusion Vulnerability
CVSS Score: N/A
CVE: CVE-2025-10585
Description: Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High).
Source: https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html
Libraesva ESG Vulnerability
CVSS: 6.1
CVE: CVE-2025-59689
Description: An actively exploited zero-day vulnerability in Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.
Source: https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/