Top 10 CISA September 2025 Vulnerabilities
| Primary Vendor — Product | Description | Published | CVSS Score | Source Info | Patch Info |
| Microsoft–Networking | Azure Networking Elevation of Privilege Vulnerability | 9/4/2025 | 10 | CVE-2025-54914 | |
| argoproj–argo-cd | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2. | 9/4/2025 | 10 | CVE-2025-55 | |
| xwikisas–xwiki-pro-macros | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue. | 9/9/2025 | 10 | CVE-2025-55730 | |
| xwikisas–xwiki-pro-macros | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue. | 9/9/2025 | 10 | CVE-2025-55729 | |
| xwikisas–xwiki-pro-macros | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue. | 9/9/2025 | 10 | CVE-2025-55728 | |
| xwikisas–xwiki-pro-macros | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the width parameter in the column macro allows remote code execution for any user who can edit any page or who can access the CKEditor converter. The width parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution when the macro has been installed by a user with programming right, or it at least allows executing Velocity code as the wiki admin. Version 1.26.5 contains a patch for the issue. | 9/9/2025 | 10 | CVE-2025-55727 | |
| SAP_SE–SAP Netweaver (RMI-P4) | Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application’s confidentiality, integrity, and availability. | 9/9/2025 | 10 | CVE-2025-42944 | |
| LabRedesCefetRJ–WeGIA | WeGIA is a Web manager for charitable institutions. The fix for CVE-2025-22133 was not enough to remediate the arbitrary file upload vulnerability. The WeGIA only check MIME types for Excel files at endpoint `/html/socio/sistema/controller/controla_xlsx.php`, which can be bypassed by using magic bytes of Excel file in a PHP file. As a result, attacker can upload webshell to the server for remote code execution. Version 3.4.11 contains an updated fix. | 9/8/2025 | 10 | CVE-2025-58745 | |
| Digiever–DS-1200 | Certain models of NVR developed by Digiever has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remoter attackers to access the system configuration file and obtain plaintext credentials of the NVR and its connected cameras. | 9/12/2025 | 10 | CVE-2025-10264 | |
| Delta Electronics–DIALink | Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. | 9/11/2025 | 10 | CVE-2025-58321 | |
| Baicells–NOVA430e/430i, NOVA436Q, NEUTRINO430, NOVA846 | CWE-1392: Use of Default Credentials | 9/9/2025 | 10 | CVE-2025-55051 | |
| Spring–Cloud Gateway | Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured. | 9/16/2025 | 10 | CVE-2025-41243 | https://spring.io/security/cve-2025-41243 |
| Fortra–GoAnywhere MFT | A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. | 9/18/2025 | 10 | CVE-2025-10035 | https://www.fortra.com/security/advisories/product-security/fi-2025-012 |
| Logo Software–Diva | Authorization Bypass Through User-Controlled SQL Primary Key, CWE – 89 – Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Logo Software Diva allows SQL Injection, CAPEC – 7 – Blind SQL Injection.This issue affects Diva: through 4.56.00.00. | 9/18/2025 | 10 | CVE-2024-13151 | https://www.usom.gov.tr/bildirim/tr-25-0273 |
| TalentSys Consulting Information Technology Industry Inc.–Inka.Net | Unrestricted Upload of File with Dangerous Type vulnerability in TalentSys Consulting Information Technology Industry Inc. Inka.Net allows Command Injection.This issue affects Inka.Net: before 6.7.1. | 9/23/2025 | 10 | CVE-2025-9846 | https://www.usom.gov.tr/bildirim/tr-25-0288 |
| Iron Mountain Archiving Services Inc.–enVision | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Iron Mountain Archiving Services Inc. EnVision allows Command Injection.This issue affects enVision: before 250563. | 9/23/2025 | 10 | CVE-2025-9588 | https://www.usom.gov.tr/bildirim/tr-25-0285 |
| HaruTheme–WooCommerce Designer Pro | Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme WooCommerce Designer Pro allows Upload a Web Shell to a Web Server. This issue affects WooCommerce Designer Pro: from n/a through 1.9.24. | 9/26/2025 | 10 | CVE-2025-60219 | https://patchstack.com/database/wordpress/plugin/wc-designer-pro/vulnerability/wordpress-woocommerce-designer-pro-plugin-1-9-24-arbitrary-file-upload-vulnerability?_s_id=cve |
| FlowiseAI–Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6. | 9/22/2025 | 10 | CVE-2025-59528 | https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94 https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6 |