Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CVE-2025-64095 is a critical unauthenticated file-upload vulnerability affecting DNN (DotNetNuke) versions prior to 10.1.1. The flaw exists in the platform’s default HTML editor provider, where upload validation and authorization checks were insufficient. Attackers can upload files and overwrite existing content without credentials, enabling page defacement, malicious script injection, and in some environments stored cross-site scripting (XSS).

Part of our two-part series on the evolution from EASM to EEM. This post introduces the core shift from visibility to real-world exposure validation and why the legacy approach to external risk is no longer enough. External Attack Surface Management, or EASM, was once revolutionary. It gave organizations their first real visibility into the sprawling digital footprint created by cloud adoption, remote work, and third-party services. But the threat landscape has evolved. And EASM has not kept up.

CVE-2025-55752 is a path traversal vulnerability in Apache Tomcat. It comes from a regression introduced during a past bug fix. Because of this flaw, Tomcat normalizes URLs before decoding them, which lets attackers craft requests that bypass access controls and reach restricted directories like /WEB-INF/ and /META-INF/. In deployments where HTTP PUT is enabled, an attacker could upload files through this path and potentially gain remote code execution (RCE).

If popular TV and movies are to be believed, hackers break into organizations from dark rooms using flashy zero-day exploits (complete with some sort of showy animation), all while techno music blares in the background, culminating in the oh-so-cool announce of “I’m in!” This… is not reality. The unglamorous truth is that breaches usually stem from a series of small mistakes in unremarkable things: A system that was overlooked when implementing a new policy.

A high-severity vulnerability (CVSS 9.9) has been disclosed in the VPN web server component of Cisco Secure Firewall ASA and FTD software. An authenticated attacker (i.e. one possessing valid VPN credentials) can send specially crafted HTTP(S) requests that bypass input validation and lead to remote code execution as root. This means full device compromise is possible.

Modern enterprises run not only web apps and databases, but also AI agents and tooling servers. MCP (Model Context Protocol) is an interface pattern that exposes tools-functions the agent can call, such as a browser driver, accessibility checker, or script generator. One of the most powerful tools we found exposed was the ability to trigger a browsing task-likely driven by Selenium, Playwright or similar.

A new critical vulnerability, CVE-2025-10035, has been disclosed in Fortra’s GoAnywhere MFT, a widely used managed file transfer solution. The flaw lies in the License Servlet and allows unauthenticated attackers to achieve remote code execution (RCE) through crafted license responses. The vendor has rated this vulnerability as Critical (CVSS 10.0) due to its potential for complete system compromise over the network.

The AI revolution is moving at breakneck speed. Every week, new tools, frameworks, and integrations hit the market. Developers eager to harness the power of large language models and automation platforms are spinning up assets with little thought to long-term security. The result is a wave of exposed services — chatbots, APIs, orchestration tools, and workflow systems — that anyone on the internet can stumble upon. Attackers see this as an open invitation.

The IONIX research team is tracking CVE-2025-42944, an insecure deserialization vulnerability affecting SAP NetWeaver AS Java’s RMI-P4 module—a critical issue warranting immediate attention.

In our day-to-day work and conversations with security experts, one concern comes up regularly: how consistent is our WAF protection? Our answer is always the same: not as much as you think. The truth is that in the case of enterprises, web application firewall (WAF) coverage is rarely uniform. Protection is often a mixed bag of products from different vendors, managed by separate teams, each guarding only part of the attack surface.