Full Report
Recorded Future’s Insikt Group identified 18 high-impact vulnerabilities in August 2025, including RCE flaws in Citrix, WinRAR, and Fortinet products. Several were actively exploited by threat actors like RomCom. Read the full analysis, PoCs, and patch guidance.
Analysis Summary
# Vulnerability: Citrix NetScaler RCE via Memory Overflow (August 2025)
## CVE Details
- CVE ID: CVE-2025-7775
- CVSS Score: **Critical** (Exact score not specified, but described as critical and actively exploited)
- CWE: CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
## Affected Systems
- Products: Citrix NetScaler ADC, NetScaler Gateway appliances
- Versions: Not explicitly listed for vulnerable versions, but patched versions are provided below.
- Configurations: Appliances operating as Gateway/AAA virtual servers, load balancing (LB) virtual servers bound to IPv6 or DBS IPv6, and content routing (CR) virtual servers with HDX.
## Vulnerability Description
CVE-2025-7775 is a critical memory overflow vulnerability affecting Citrix NetScaler ADC and Gateway appliances. Successful exploitation allows unauthenticated threat actors to achieve Remote Code Execution (RCE) or Denial of Service (DoS). Threat actors have been observed exploiting this pre-authentication RCE flaw to deploy web shells for establishing persistence, leading to potential data exfiltration, lateral movement, and full network compromise.
## Exploitation
- Status: **Actively Exploited in the Wild** (Added to CISA KEV catalog)
- Complexity: Not explicitly rated, but pre-authentication RCE suggests **Low** to **Medium** complexity for initial compromise.
- Attack Vector: **Network** (Internet-exposed instances)
## Impact
- Confidentiality: **High** (Potential for data exfiltration)
- Integrity: **High** (Arbitrary code execution, web shell deployment)
- Availability: **Medium to High** (DoS possible)
## Remediation
### Patches
Citrix has released patches for the following builds:
- 14.1-47.48 and later
- 13.1-59.22 and later
- 13.1-FIPS/NDcPP 13.1-37.241 and later
- 12.1-FIPS/NDcPP 12.1-55.330 and later
### Workarounds
- No workarounds are currently available. Immediate upgrade/patching is strongly advised.
## Detection
- **Indicators of Compromise (IOCs):** Presence of unauthorized web shells deployed on the NetScaler platform.
- **Detection Methods and Tools:** Monitor for unusual command execution or unexpected persistence mechanisms on affected appliances. (Note: Nuclei templates may be available via Recorded Future services, but are not detailed here.)
## References
- Vendor Advisory: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
- CISA KEV Catalog (Mentioned)
- Shadowserver Foundation Statistics (Mentioned)
- Shodan Reports (Mentioned)
***
# Vulnerability: WinRAR Path Traversal for Malicious File Delivery (August 2025)
## CVE Details
- CVE ID: CVE-2025-8088
- CVSS Score: Not explicitly provided (Mentioned in context of active exploitation by RomCom)
- CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Segment of the Real File System) - *Inferred from description of Path Traversal. Original source text cited CWE-78 contextually for August, but this specific flaw is a Path Traversal allowing file drops.*
## Affected Systems
- Products: WinRAR
- Versions: Not explicitly listed.
- Configurations: Extraction of seemingly benign archives containing malicious Alternate Data Streams (ADS).
## Vulnerability Description
CVE-2025-8088 is a path traversal vulnerability in WinRAR that specifically leverages Alternate Data Streams (ADS) on Windows. This flaw allows an attacker to hide and deploy malicious files from within an archive upon extraction, bypassing security checks. This vulnerability was actively exploited by the Russia-linked threat group RomCom to deliver the SnipBot backdoor variant, RustyClaw downloader, and Mythic C2 agent.
## Exploitation
- Status: **Exploited in the wild** (Observed July 18–21, 2025)
- Complexity: Not explicitly rated.
- Attack Vector: **Local** (Relies on a user extracting a crafted archive, though initial delivery may be remote via phishing/download).
## Impact
- Confidentiality: **High** (Backdoor/C2 installation)
- Integrity: **High** (Execution of unauthorized code)
- Availability: **Medium** (Backdoor persistence)
## Remediation
### Patches
- Specific WinRAR patch information is **not available** in the provided text.
### Workarounds
- Caution when extracting archives from untrusted sources, especially those utilizing ADS manipulation capabilities.
## Detection
- **Indicators of Compromise (IOCs):** Detection of SnipBot, RustyClawdownloader, or Mythic C2 agents, or suspicious file writes utilizing ADS.
- **Detection Methods and Tools:** Antivirus/EDR solutions monitoring for unusual file creation patterns during archive extraction.
## References
- ESET Report (Mentioned)
- Recorded Future VIE (Mentioned)
***
*Note: The summary also mentions several other CVEs (CVE-2025-7776, CVE-2025-8424, CVE-2024-8069, CVE-2013-3893, CVE-2007-0671) impacting Citrix, D-Link, FreePBX, and Microsoft, as well as CWE-78 and CWE-502 as common weaknesses, but detailed technical summaries were only available for CVE-2025-7775 and CVE-2025-8088 in the source text.*