Full Report
Read about the top zero-day exploits in 2025 and the lessons learned, with analysis from Outpost24’s threat intelligence team. The post Lessons From 2025: Zero-Day Exploitation Shaping 2026 appeared first on Outpost24.
Analysis Summary
Based on the Outpost24 analysis of zero-day exploitation trends from 2025, here is a summary of the critical vulnerabilities that shaped the threat landscape heading into 2026.
# Vulnerability: Critical Zero-Day Exploitations (2025 Retrospective)
## CVE Details
- **CVE ID:** [CVE-2025-20393]
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Not specified in text (Typically involves command injection or authentication bypass in this context)
## Affected Systems
- **Products:** Cisco AsyncOS
- **Versions:** Specific versions prior to the December 2025 patches.
- **Configurations:** Systems running Cisco Content Security Management, Email Security, or Web Security appliances.
## Vulnerability Description
While the article focuses on the threat actor impact, CVE-2025-20393 represents a critical flaw in Cisco AsyncOS that allows for unauthenticated remote code execution or complete system takeover. This vulnerability was a cornerstone of "UAT-9686" operations in late 2025, targeting the backbone of secure email and web gateways.
## Exploitation
- **Status:** Exploited in the wild (Activity attributed to UAT-9686)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total
- **Integrity:** Total
- **Availability:** Total
---
# Vulnerability: Cisco ASA/FTD Remote Code Execution
## CVE Details
- **CVE ID:** [CVE-2025-20333], [CVE-2025-20362]
- **CVSS Score:** 9.9 and 8.6 (Critical/High)
- **CWE:** Not specified
## Affected Systems
- **Products:** Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD).
- **Versions:** Various versions (Update required as of Sept 2025).
## Vulnerability Description
These vulnerabilities allow attackers to bypass security features or execute arbitrary code on the firewall perimeter. They were heavily leveraged by the threat actor group "UAT4356" to gain initial access to corporate networks.
## Exploitation
- **Status:** Exploited in the wild
- **Complexity:** Medium
- **Attack Vector:** Network
---
# Vulnerability: LANSCOPE Endpoint Manager Flaw
## CVE Details
- **CVE ID:** [CVE-2025-61932]
- **CVSS Score:** 9.3 (Critical)
- **CWE:** Not specified
## Affected Systems
- **Products:** Motex LANSCOPE Endpoint Manager
- **Versions:** Versions prior to Oct 20205 updates.
## Vulnerability Description
A critical flaw in the endpoint management software used primarily for asset tracking and security. Exploitation allows attackers to compromise the management server and subsequently push malicious updates or commands to all managed endpoints.
## Exploitation
- **Status:** Exploited in the wild (Specifically by "Bronze Butler" / APT10)
- **Complexity:** Low
- **Attack Vector:** Network
---
## Remediation (General for 2025/2026 Trends)
### Patches
- **Cisco AsyncOS:** Update to the latest firmware released post-December 17, 2025.
- **Cisco ASA/FTD:** Apply security updates released in late September 2025.
- **Motex LANSCOPE:** Update to the patched version released in October 2025.
### Workarounds
- **Network Segmentation:** Isolate management interfaces for Cisco and Motex products from the public internet.
- **Access Control Lists (ACLs):** Restrict access to vulnerable services to known, trusted IP addresses only.
## Detection
- **Indicators of Compromise (IoCs):** Monitor for unusual outbound traffic from security appliances and endpoint management servers.
- **Detection Methods:**
- Audit logs for unauthorized administrative logins or configuration changes.
- Utilize EASM (External Attack Surface Management) to identify unpatched, internet-facing appliances.
- Monitor for "UAT4356" and "Bronze Butler" TTPs (Tactics, Techniques, and Procedures).
## References
- Cisco Advisory: [https://blog.talosintelligence.com/uat-9686/]
- Tenable Analysis: [https://www.tenable.com/blog/cve-2025-20333-cve-2025-20362-faq-cisco-asa-ftd-zero-days-uat4356]
- Sophos Intelligence: [https://www.sophos.com/en-us/blog/bronze-butler-exploits-japanese-asset-management-software-vulnerability]
- Outpost24 Analysis: [https://outpost24.com/blog/lessons-from-2025-zero-day-exploitation-shaping-2026/]