1. Microsoft Exchange (Hybrid) – CVE-2025-53786
   Improper authentication in hybrid trust lets an on-prem Exchange admin pivot into Exchange Online/Entra ID. Rotate hybrid trust, patch, re-run HCW, revoke tokens, hunt for rogue service principals & inbox rules. CISA+1TechRadar

2. Trend Micro Apex One (On-Prem) – CVE-2025-54948/54987
   Unauthenticated/low-auth command injection → RCE on the management console. Do not expose console to internet; apply fix tool/patch; disable Remote Install Agent; monitor console-spawned shells. The Hacker NewsTechRadarsecpod.com

3. Axis Video Estates (Axis.Remoting) – CVE-2025-30023/24/25/26
   Pre-/post-auth flaws enable AitM and RCE on Device Manager/Camera Station; 6,500+ exposed servers online. Patch to fixed versions, remove from internet, segment OT, alert on Axis.Remoting traffic. The Hacker NewsClarotyinfosecurity-magazine.com

4. Apache Camel – CVE-2025-29891
   Default incoming header filter allows Camel control headers* via HTTP headers/parameters → method hijack (camel-bean) or OS command exec (camel-exec). Upgrade, strip Camel*/CamelExec* at ingress, use header allowlists and explicit bean methods. Apache Camel+1GitHub

5. HashiCorp Vault – Multiple Zero-days (Auth bypass, MFA issues, RCE paths)
   Research disclosed nine Vault flaws (plus Conjur) affecting auth/identity/policy; treat as secrets-backbone risk. Upgrade, harden auth methods, audit policies/tokens, alert on new plugins/audit backends. cyata.aidarkreading.com

6. Palo Alto PAN-OS – CVE-2025-0108 (Auth bypass)
   Mgmt WebUI auth bypass; PoC public. Restrict management plane, patch to fixed trains (11.2.6/11.1.6-h14/10.2.13-h7/10.1.14-h15). NVDsocradar.ioCyber Security Agency of Singapore

7. Palo Alto PAN-OS – CVE-2025-4230/4233 (admin injection & cache issues)
   Chained post-auth vectors reported; ensure you’re on latest maintenance releases; enforce MFA & role separation for admins. security.paloaltonetworks.cominfosecurity-magazine.com

8. VMware vCenter – CVE-2025-41225 (Authenticated command exec)
   Users with alert/script privileges can execute commands on vCenter; patch immediately and restrict scripted alerts. nsfocusglobal.com

9. VMware vCenter – CVE-2025-41241 (DoS)
   Denial-of-service fixed by Broadcom in July; apply the VMSA matrix patches. Support Portalnolabnoparty.com

10. OpenSSH regreSSHion – CVE-2024-6387 (still in play)
    Unauth RCE (race condition) on certain glibc/32-bit servers continues to surface in scans. Update OpenSSH, add rate-limits, prefer key-based auth, EDR rules for sshd crashes/spawns. Unit 42qualys.com

Defender Playbook (copy/paste)

• Edge/WAF: Block/alert on Camel*/CamelExec* keys; throttle /owa, /ecp, Apex One console paths; geo/ASN allowlists for admin panes. Apache CamelThe Hacker News

• Identity (M365/Entra): Hunt for new service principals/app consents; revoke refresh tokens; CA policies for device/compliant access. CISA

• EDR: Detect parent java/jetty/httpd/w3wp spawning shells; monitor bash/cmd/powershell from security consoles and vCenter services. The Hacker Newsnsfocusglobal.com

• Secrets: Vault plugin/audit backend changes → page the on-call. cyata.ai