The Bug Report – October 2025 Edition

By Jonathan Omakun · October 31, 2025

Why am I here?

Welcome to October's cybersecurity horror show, where the tricks are malicious and the treats are... Well, there aren't any treats. Just vulnerabilities that would make even the most seasoned security professional want to hide under their desk with a pumpkin spice latte and pretend the internet doesn't exist. This month's collection reads like a greatest hits album of "Things That Should Never Happen But Somehow Do." We've got Microsoft's update server playing dress-up as a malware distribution platform, Adobe's e-commerce solution handing out admin privileges like Halloween candy, and a Windows driver that's been haunting systems longer than some of us have been in cybersecurity. It's enough to make you wonder if someone cast a spell on the entire software development industry. October 2025 has delivered a particularly spooky assortment of vulnerabilities that prove cybersecurity threats don't need costumes to be terrifying:

CVE-2025-59287 Microsoft Windows Server Update Service, Deserialization Of Untrusted Data

CVE-2025-54236 Adobe Commerce, Session Takeover Via Deserialization

CVE-2025-61932 Motex Lanscope Endpoint Manager, Remote Code Execution

CVE-2025-62518 Rust tokio-tar, Remote Code Execution Execution

CVE-2025-24990 Microsoft Windows Agere Modem Driver, Untrusted Pointer Dereference

CVE-2025-40778 ISC BIND 9 DNS, Cache Poisoning

CVE-2025-59489 Unity Unity Runtime, Local Code Execution

CVE-2025-59287: The WSUS ghost—patch server becomes patient zero

What is it?

The ultimate betrayal. Microsoft Windows Server Update Services (WSUS)—the benevolent elder meant to protect your fleet. Turns out, it's more of a zombie amplifier due to a classic deserialization of untrusted data weakness that leads to remote code execution (RCE).

This vulnerability lives in the WSUS EncryptionHelper.DecryptData() method. That’s the bit responsible for decrypting cookies from clients and, ideally, keeping things neat and safe. Unfortunately, after decrypting said cookie, WSUS commits a cardinal sin:

Yes. BinaryFormatter. A method so dangerous that Microsoft’s own documentation screams “DO NOT USE” in all caps — and yet, here we are. Proof-of-concept (PoC) for this vulnerability is already publicly available. The exploit relies on creating a "magic" object known as a gadget chain, that, upon deserialization, forces the application to execute arbitrary code. Here’s how exploitation could play out:

1. The attacker crafts a malicious object payload using ysoserial.net.
2. They AES-encrypt it using WSUS’s predictable key exchange process (think: encryption that’s about as secure as a hotel mini-safe).
3. They toss it at the vulnerable SOAP endpoint:
   PHP

   POST /ClientWebService/client.asmx HTTP/1.1
   <GetCookie>
   <EncryptedData>[malicious blob] </EncryptedData>
   </GetCookie>

4. WSUS, ever trusting, decrypts and deserializes the payload — executing attacker-controlled code as NT AUTHORITY\SYSTEM.

Boom. The patch server is now the attacker’s new command-and-control node. Irony level: biblical.

Who cares?

Every enterprise admin who’s ever bragged, “We’re fully patched.” Yeah… not anymore.

If WSUS is part of your environment (and it is for most on-prem Windows shops), attackers can chain this with lateral movement tools and deploy malicious updates to endpoints. Imagine shipping ransomware under the guise of “October Security Rollup.”

There are multiple reports of confirmed active exploitation, so this isn’t theoretical — it’s Netflix true crime docu-series material.

What can I do?

Apply Official Patch: Exterminate this monster immediately. Microsoft released an out-of-band (OOB) security update on October 23, 2025. Install the OOB security update for your Windows Server version. A system reboot is required.

Network Isolation: If patching is delayed, your immediate action is to place a host-based firewall rule to block all inbound traffic to the default WSUS ports, 8530 (HTTP) and 8531 (HTTPS). This is a crucial stopgap.

Disable WSUS Role: If you can survive without updates for a few hours, temporarily disable the WSUS Server Role.

Trellix Customers: Trellix Network Security (NX) contains coverage for this vulnerability. Please ensure your solution is updated to at least SC: 1619.174 (release date: 2025-10-24), which contains the rule name, “Microsoft Windows Server Update Service CVE-2025-59287 RCE Attempt”.

And if you see any updates named “TotallyNotBackdoor2025.msu” — maybe skip that one.

CVE-2025-54236: SessionReaper - ecommerce poltergeist that steals more than your soul

What is it?

Meet SessionReaper, the digital poltergeist that's been haunting Adobe Commerce and Magento installations like a vengeful spirit with a computer science degree. This critical vulnerability lurks in the Web API's input validation, specifically in the Magento\Framework\Webapi\ServiceInputProcessor class's getConstructorData() method, where it feeds on improperly validated nested objects like a supernatural entity that sustains itself on poor coding practices.

The vulnerability is a masterclass in how not to handle complex data structures. The affected method lacks strict type validation for nested objects, which is like having a security guard who not only doesn't check bags but actively helps suspicious characters unpack their potentially dangerous contents. This enables an unauthenticated attacker to perform nested deserialization attacks through REST, GraphQL, and SOAP APIs—basically every way your e-commerce platform talks to the outside world. By embedding a malicious, serialized PHP object into a nested field of a standard API request, the system tries to "rebuild" the attacker's object.

Who cares?

Every unpatched e-commerce store is a blood bank for threat actors right now. Adobe, in its latest advisory, has confirmed reports of this vulnerability being actively exploited in the wild for the purpose of deploying webshells and stealing customer data. While it enables session takeover on any instance, the threat is escalated to unauthenticated RCE if you use the common default file-based session storage. If you’re running a vulnerable version, attackers are already trying to silently hijack your administrative or customer sessions and siphon off data. You are on the clock.

Public PoC code from multiple researchers is available, which means the vulnerability has graduated from "theoretical threat" to "weekend project for bored hackers." The attack method is unauthenticated API exploitation, so attackers don't even need to sweet-talk their way past your login screen—they can just waltz right in through your API endpoints like they own the place. This is a five-star threat, reminiscent of past, store-shuttering Magento crises.

What can I do?

The only way to win is to patch and cleanse. Deploy the official fix from Adobe (APSB25-88). This patch introduces strict type validation to reject the nested object injection.

CVE-2025-61932 — Lanscope’s possessed agent

What is it?

Your endpoint agent’s been possessed! It’s still doing its job, but something else is whispering commands into its ear. MOTEX LANSCOPE’s MR client and DA detection agent have an improper verification of the source bug.

The technical horror is simple and theatrical: an attacker crafts a packet that mimics a legitimate management instruction and sends it to the listening agent. Because the agent fails to validate the packet’s origin, it treats the instruction as gospel and runs whatever the packet carries — effectively letting a remote actor puppet the endpoint.

Who cares?

Everyone who manages endpoints with LANSCOPE on-premises — especially large fleets in enterprise environments. CISA's addition of this flaw to the KEV Catalog means it’s a proven weapon for cyber mercenaries.

JPCERT/CC and MOTEX confirmed that malicious packets were observed in customer environments. The threat actors have been having a field day since April 2025, setting up backdoor infrastructure at 38[.]54[.]56[.]57:443 and 38[.]54[.]88[.]172:443 like they're opening franchise locations for digital mayhem. They're not just breaking in—they're redecorating with malware, establishing persistence, and probably leaving passive-aggressive sticky notes about your security hygiene.

What can I do?

Exorcise immediately (patch all clients): update every MR client and DA agent to fixed versions (e.g., 9.4.7.3 or any other patched version in the advisory) by MOTEX — the fix is client-side; don’t just patch the manager. Grab the updates from the LANSCOPE Portal and verify every endpoint is upgraded.

NOTE: The manager component itself is not the source of the vulnerability and does not need to be upgraded.

CVE-2025-62518: TARmageddon - unpacking more than you bargained for

What is it?

The real monster isn't hiding under your bed—it's hiding in your TAR archives, waiting to spring out like a jack-in-the-box designed by a malicious software engineer with a twisted sense of humor. Dubbed "TARmageddon," this high-severity bug is an insidious data smuggling flaw in the Rust library async-tar and its key forks like tokio-tar.

The vulnerable parser gets confused by conflicting size headers: one header says the file data is large, the other says it's zero bytes. The parser wrongly follows the zero-byte instruction, fails to skip the actual (hidden) data, and then interprets the data (a complete, malicious inner TAR archive) as legitimate files in the main archive. This lets an attacker overwrite configuration files (pyproject.toml, etc.) during extraction, leading directly to Remote Code Execution (RCE) in build pipelines and development environments.

Who cares?

The entire Rust ecosystem should care, considering tokio-tar has over 5 million downloads and has been abandoned like a haunted house that even ghost hunters won't enter. The vulnerability affects supply chain security in ways that would make a logistics manager have nightmares —it can compromise build systems, poison container images, and bypass Bill of Materials (BOM) tracking like a supernatural entity that doesn't show up in mirrors. Development teams using affected versions (tokio-tar < 0.5.6) are essentially working in a digital haunted mansion where the archives they trust might be possessed by malicious spirits.

The public PoC demonstrates attacks on Python build backends and container image poisoning, proving that this is a practical nightmare for DevOps teams everywhere.

What can I do?

You must abandon the abandoned library. If your project uses the unmaintained tokio-tar, you must migrate to an actively maintained and patched fork like astral-tokio-tar (version 0.5.6 or newer).

CVE-2025-24990: The phantom modem - ancient Agere rises from the grave

What is it?

Buried deep in the Windows catacombs lies an ancient relic from the dial-up era - the Agere Modem Driver (ltmdm64.sys). Like a cursed artifact in a horror movie that everyone knows they shouldn't touch, this decrepit driver has been lurking in Windows installations since Windows 7, accumulating digital dust and security vulnerabilities. Microsoft's Security Response Center (MSRC) apparently took one look at this shambling corpse of code and decided "not our problem" - a decision that would come back to haunt them like a vengeful spirit.

This ghoulish driver becomes particularly dangerous when threat actors perform their own necromancy ritual called "Bring Your Own Vulnerable Driver" (BYOVD). While the driver doesn't load by default (thankfully, even Windows has some survival instincts), attackers can manually resurrect it with simple sc create and sc start commands— essentially performing a digital séance to awaken this sleeping nightmare.

A publicly available PoC unfolds the horror through the driver's IOCTLs, which use the dreaded METHOD_NEITHER without proper address validation— imagine a haunted house where all the doors are unlocked and the security system is just a cardboard cutout of a guard. The driver offers a veritable buffet of exploitation primitives that would make any malware author's eyes light up like jack-o'-lanterns:

• IOCTL 0x802b2003 (IOCTL_GET_VERSION): This particular incantation writes exactly 4 bytes (36 08 00 00) to any kernel address the attacker desires— it's like having a magic marker that can write anywhere in the kernel's memory.
• IOCTL 0x802b200f: Triggers a null dereference through the ll_load_diagnostics function, creating a digital black hole in kernel space.
• Arbitrary decrement operations: Using the ObfReferenceObject API like a cursed abacus that only counts backwards.

The exploitation chain reads like a recipe from a witch's cookbook: first, bypass kASLR using EnumDeviceDrivers to map out the kernel's layout, then use VirtualAlloc to claim a fixed address (0x083600000000) as your ritual circle. The IOCTL_GET_VERSION becomes your wand for arbitrary 4-byte writes, which can be chained together for full arbitrary read/write capabilities. On Windows 11 22H2 and later, attackers employ the "ioring technique" — a modern twist on an ancient curse that provides rock-solid exploitation stability.

Who cares?

Every Windows system harboring this digital poltergeist should be concerned, which unfortunately includes most Windows installations from 7 onwards. By default, the driver sleeps peacefully, but any attacker with local access and administrative privileges can perform the resurrection ritual. On Windows 24H2, they'll need SeDebugPriv - a small speed bump that's about as effective as a "Beware of Dog" sign protecting a haunted mansion.

The real terror lies in what this vulnerability enables once awakened. Attackers can disable Protected Process Light (PPL) on critical system processes like lsass.exe - essentially removing the holy water protection from your most sacred system components. Even more diabolically, they can enable PPL for their own malicious processes, giving their malware the same divine protection that system processes enjoy. It's like watching the monsters don the armor of the knights who were supposed to protect you.

Threat actors have been spotted in the wild wielding this ancient weapon, particularly in sophisticated campaigns where they've already gained initial access and need to escalate privileges or establish persistence. The BYOVD technique makes this vulnerability particularly attractive because it bypasses modern kernel protections by using Microsoft's own signed driver— it's the digital equivalent of using the master key that the homeowner left under the doormat.

The impact extends beyond individual systems. In enterprise environments, a single compromised machine with this vulnerability can become a launching pad for lateral movement, especially when combined with the PPL manipulation capabilities. Attackers can essentially turn their malware into digital vampires— processes that appear legitimate to security tools while draining the life out of your network.

What can I do?

The only solution is total driver obliteration.

1. Apply Patches: Immediately apply the October 2025 cumulative security updates for your Windows version. The update performs the final rite: it removes the vulnerable ltmdm64.sys driver.
2. Remove Hardware: If you have any old Agere fax modem hardware... you need to have a serious talk with your IT budget. Microsoft recommends physically removing it, as the driver is gone and the hardware will no longer function.

CVE-2025-40778: When your cache gets haunted by unwanted guests

What is it?

Meet the DNS poltergeist that's been rearranging your internet furniture when you're not looking. CVE-2025-40778 is a high-severity cache poisoning vulnerability in ISC BIND 9 that's scarier than finding out your trusted DNS resolver has been accepting candy from strangers on the internet. This digital demon exploits insufficient validation in BIND 9's recursive resolver functionality, essentially turning your DNS cache into a haunted mansion where malicious records can move in without an invitation.

The technical horror unfolds in BIND's overly trusting nature - it's like a security guard who not only doesn't check IDs but actively helps suspicious characters sneak into the VIP section. The vulnerable resolver logic fails to validate that resource records in DNS responses actually match what was originally requested (QNAME, QTYPE, and QCLASS). It's the digital equivalent of ordering a pizza and accepting delivery of a haunted doll along with it, then storing both in your refrigerator for later use.

Here's where it gets truly terrifying: unlike traditional cache poisoning attacks that require winning a high-speed race against legitimate responses, this vulnerability is like having a skeleton key that opens any lock in the building. A malicious authoritative nameserver can inject arbitrary A or CNAME records for completely unrelated hostnames into your cache by simply bundling them with legitimate responses. The attack works through a simple but devastating process:

Who cares?

Every organization running BIND 9 recursive resolvers should be absolutely terrified, which includes a significant portion of the internet's DNS infrastructure. The vulnerability affects a massive range of BIND 9 versions (9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, and 9.21.0 through 9.21.12), and comes with a publicly available proof-of-concept that works like a charm (or should we say, curse). This makes it a widespread haunting across the DNS infrastructure landscape. Once poisoned, the resolver serves these malicious records from cache even after the attacker's server vanishes into the digital ether, proving that some ghosts are persistent houseguests.

Patch before attackers redirect your entire organization to their spooky basement server.

1. Upgrade Immediately: Upgrade BIND 9 resolvers to a patched release. Affected versions include a wide range, so check your versions against the patched releases: 9.18.41, 9.20.15, 9.21.14, or newer maintenance builds.
2. Restrict Access: Until patches are complete, restrict recursion to known, trusted clients only.
3. Validate: Ensure you are employing DNSSEC validation where possible to enforce data authenticity.

CVE-2025-59489: The unity possession - when game engines become haunted houses

What is it?

This is a serious Local Code Execution vulnerability in the Unity Runtime, affecting millions of games and apps built with Unity Editor 2017.1 and later on Android, Windows, macOS, and Linux. The flaw is a simple but deadly Argument Injection, where the engine is just too trusting of command-line input.

Discovered by the digital ghost hunter RyotaK (@ryotkak) from GMO Flatt Security Inc. during the Meta Bug Bounty Researcher Conference 2025, this vulnerability is like finding a secret passage in a haunted mansion that leads directly to the basement where all the cursed artifacts are stored. The flaw affects Unity Runtime in games and applications built on Unity 2017.1 and later versions— which means roughly 70% of top mobile games, including beloved titles like Among Us and Pokémon GO, have been walking around with this digital poltergeist.

Instead of a scary movie, you can despair at how Unity’s intent handling mechanism turns innocent gaming applications into potential gateways for digital possession. The malicious Android intents can manipulate command-line arguments like a puppet master controlling marionettes. The vulnerability specifically exploits the xrsdk-pre-init-library parameter, which acts like a cursed incantation that allows attackers to load arbitrary shared libraries. Think of it as a digital Ouija board where instead of spelling out "GET OUT," it spells out "LOAD MALICIOUS.SO".

This parameter was originally designed for legitimate XR (Extended Reality) functionality, but like many well-intentioned features in horror movies, it becomes the very mechanism through which evil enters. When Unity processes this intent, it blindly trusts the provided library path and loads it with the same privileges as the host application— essentially giving the malicious code a VIP pass to the victim's digital soul.

Who cares?

Developers, players, and anyone distributing Unity-built applications are vulnerable. The exploit is trivial for a malicious app on the same device to execute. You download a rogue flashlight app, and suddenly that app is using your high-profile Unity game to steal data or conduct other mischief.

While Android's SELinux acts like a digital exorcist, creating barriers that should prevent malicious libraries from being loaded from arbitrary locations— like most horror-movie protections— it has a fatal flaw. Even though SELinux restrictions limit where libraries can be loaded from, attackers can bypass these protections by placing their malicious payloads in application cache directories— areas that SELinux considers "blessed ground" for the target application.

Unity reports there is no evidence of exploitation in the wild yet—but that's like saying the demons haven't started chanting yet. We need to patch proactively.

What can I do?

Rebuild with a Patched Editor (Recommended): Developers must update their Unity Editor to a patched version (Unity 2019.1 and later have fixes) and then recompile and republish all affected games and applications. This is the only way to ensure the old, haunted Runtime code is permanently gone.

Patch Built Applications (Hotfix): If you can’t immediately rebuild from source (especially for older 2017/2018 builds), download the Unity Application Patcher. This tool will replace a patched DLL/AAB/APK binary that has the vulnerable strings modified or removed.

NOTE: This patcher is like a spiritual cleansing—it uses an ad-hoc signature on macOS, which invalidates notarization, so you must re-sign and re-notarize before re-releasing the application!

Check for Breaking Changes: Watch out! If your Windows or macOS app uses the old -dataFolder or -overrideMonoSearchPath arguments, the patch will break them. You must adjust your game's custom launch logic to avoid an entirely new set of developer-induced bugs.

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/