Executive Summary
In October 2025, CISA added two newly discovered, actively exploited vulnerabilities—CVE-2025-54236 impacting Adobe Commerce and Magento, and CVE-2025-59287 impacting Microsoft Windows Server Update Services—to its Known Exploited Vulnerabilities (KEV) Catalog. Both vulnerabilities are believed to be leveraged by threat actors to gain unauthorized access and facilitate lateral movements within victim networks. Federal Civilian Executive Branch (FCEB) agencies are now required by BOD 22-01 to remediate these specific threats by the mandated due date, minimizing risk to critical government infrastructure and mission-critical digital assets.
This inclusion highlights a rising trend of attackers weaponizing public-facing application and misconfigured update service vulnerabilities, reflecting an escalation in both attack sophistication and speed of exploitation. Organizations of all types face mounting regulatory and operational pressure to harden security posture and accelerate remediation response times.
Why This Matters Now
The rapid addition of these vulnerabilities to CISA's KEV Catalog signals active threat campaigns exploiting widely deployed enterprise applications. Immediate action is urgent, as attackers often automate exploitation and target organizations slow to patch, placing both government and private sector networks at heightened risk of compromise and data loss.
Attack Path Analysis
Attackers exploited unpatched Adobe Commerce/Magento and Windows WSUS vulnerabilities to gain an initial foothold in cloud or hybrid environments. After executing the exploit, adversaries escalated privileges to access sensitive application or system functions. Using these elevated rights, they moved laterally—often via east-west traffic—to additional workloads, containers, or cloud services. Command and control channels were established utilizing covert, possibly encrypted outbound communications to maintain persistence and issue commands. Exfiltration took place as attackers transferred sensitive data out, bypassing weak or misconfigured egress controls. Finally, attackers may have disrupted systems, deployed malware, or initiated ransomware impacting business operations.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited known vulnerabilities in Adobe Commerce/Magento (CVE-2025-54236) and Windows WSUS (CVE-2025-59287) to obtain system access.
Related CVEs
CVE-2025-54236
CVSS 8.8An improper input validation vulnerability in Adobe Commerce versions 2.4.9-alpha2 and earlier allows attackers to achieve session takeover without user interaction.
Affected Products:
Adobe Commerce – 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, earlier versions
Exploit Status:
exploited in the wildCVE-2025-59287
CVSS 9.8Deserialization of untrusted data in Windows Server Update Service allows unauthorized attackers to execute code over a network.
Affected Products:
Microsoft Windows Server Update Service – all supported versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
External Remote Services
Exploitation for Client Execution
Exfiltration Over Alternative Protocol
Process Injection
Command and Scripting Interpreter
Exploitation of Remote Services
Windows Management Instrumentation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Procedures
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Continuous Vulnerability Identification and Remediation
Control ID: Vulnerability Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical exposure to CVE-2025-59287 Windows WSUS vulnerability requiring immediate remediation per BOD 22-01, affecting federal enterprise security infrastructure and update mechanisms.
Computer Software/Engineering
High risk from Adobe Commerce CVE-2025-54236 input validation flaw and WSUS deserialization vulnerability, impacting software development platforms and client deployments.
Retail Industry
Severe threat from Adobe Commerce/Magento CVE-2025-54236 improper input validation vulnerability exposing e-commerce platforms to active exploitation and customer data breaches.
Financial Services
Significant risk from known exploited vulnerabilities affecting Windows Server infrastructure and e-commerce platforms, requiring enhanced zero trust segmentation and threat detection.
Sources
- CISA Adds Two Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2025/10/24/cisa-adds-two-known-exploited-vulnerabilities-catalogVerified
- Adobe Security Bulletin APSB25-88https://helpx.adobe.com/security/products/magento/apsb25-88.htmlVerified
- Microsoft Security Update Guide - CVE-2025-59287https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, continuous traffic inspection, and strong egress enforcement would have restricted attacker movement, limited the success of exploitation, and detected anomalous activities. CNSF capabilities such as distributed policy, east-west visibility, inline IPS, and enforced egress controls disrupt the kill chain at multiple stages.
Control: Inline IPS (Suricata)
Mitigation: Signature-based threat prevention detects and blocks known exploit traffic.
Control: Zero Trust Segmentation
Mitigation: Prevents cross-segment privilege escalation by restricting workload-to-workload access.
Control: East-West Traffic Security
Mitigation: Detects and restricts unauthorized internal traffic flows.
Control: Threat Detection & Anomaly Response
Mitigation: Identifies and alerts on anomalous outbound C2 behaviors.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unsanctioned outbound data transfers and filters destinations.
Real-time distributed enforcement limits blast radius and triggers rapid response.
Impact at a Glance
Affected Business Functions
- E-commerce Transactions
- Software Update Distribution
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of customer data and administrative credentials due to session takeover and remote code execution vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Prioritize the remediation of KEV-listed vulnerabilities, especially those affecting web applications and infrastructure like Adobe Commerce and WSUS.
- • Implement Zero Trust segmentation and microsegmentation to restrict lateral movement and enforce least privilege access across all workloads.
- • Deploy inline IPS and advanced east-west traffic inspection to detect and block exploit attempts and abnormal behaviors in real time.
- • Enforce granular egress controls and encryption to prevent unauthorized data exfiltration and detect covert C2 communications.
- • Centralize multicloud visibility and automate incident response with a distributed security fabric to reduce detection and containment times.
