The most severe flaw, tracked as CVE-2025-10035 , with a CVSS score of 10, is a deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere Managed File Transfer (MFT) tool . An attacker could forge a license response signature when interacting with the servlet, leading to deserialization of an attacker-controlled object, which could then lead to arbitrary command injection.

The method an unauthenticated attacker could use to construct a valid license response was described by watchTowr in a report published Sept. 24, about a week after the flaw was first disclosed. The report explained how crafting a request to the /goanywhere/license/Unlicensed.xhtml endpoint to trigger an error will lead to the generation and exposure of an encrypted token that can be decrypted and used to craft a valid license response.

Sudo flaw, CVE-2025-32463

In a subsequent Sept. 25 report , watchTowr revealed evidence of in-the-wild exploitation of CVE-2025-10035, saying the flaw may have been exploited since Sept. 10, eight days prior to its disclosure. Remediation of the flaw requires upgrading to the latest release 7.8.4 or the Sustain Release 7.6.3, according to Fortra

The second most severe vulnerability is a critical flaw in the Sudo command-line utility for Linux and Unix-like operating systems. The flaw, tracked as CVE-2025-32463 , has a CVSS score of 9.3 and could enable a local attacker to execute arbitrary commands as root.

This flaw stems from the chroot feature, which was removed in the fixed version 1.9.17p1. The chroot feature changes the apparent root directory for a process and confines the command to that specific directory.

Cisco IOS/IOS XE vulnerability, CVE-2025-20352

Stratascale researchers discovered that a local attacker could plant a /etc/nsswitch.conf configuration file and a corresponding malicious library into a directory, which would then be followed (instead of the legitimate config file) whenever the directory is “chrooted.” The vulnerability could potentially be exploited by any user with the ability to write files, even if the user does not have permission to run sudo commands themselves.

Also added to the KEV Monday was the Cisco IOS/IOS XE flaw tracked as CVE-2025-20352 , which was exploited as a zero-day prior to its disclosure last week. The flaw, which has a CVSS score of 7.7, could allow a low-privileged authenticated attacker to cause a denial of service (DoS) on IOS/IOS XE devices and an authenticated attacker with high privileges to escalate privileges and execute code as root on devices running IOS XE.

The flaw can be exploited remotely by sending crafted simple network management protocol (SNMP) packets to affected devices over IPv4 or IPv6 networks. The flaw was fixed in newer releases of IOS and IOS XE, with Cisco advising customers to use the Cisco Software Checker to identify the appropriate fixed release for their devices.

Two lower-severity flaws — a Libraesva Email Security Gateway (ESG) command injection bug tracked as CVE-2025-59689 and an Adminer server-side request forgery (SSRF) tracked as CVE-2021-21311 — were also added to the KEV Monday.

Libraesva disclosed one case of exploitation in its advisory for CVE-2025-59689 last week and provided fixes for the vulnerability in versions 5.031, 5.1.20, 5.2.31, 5.3.16, 5.4.8 and 5.5.7.

Federal Civilian Executive Branch (FCEB) agencies are required to mitigate all of these vulnerabilities by Oct. 20, 2025.