Table of Contents

    Get Our Blogs Directly to Your Inbox, Every Friday

    Additional Resources:

    Windows 10 End of Life: Critical Security & Compliance Risks for IT Teams After October 2025

    Windows 10 End of Life: Critical Security & Compliance Risks for IT Teams After October 2025

    Cybersecurity News

    2 min read

    In this week’s Security Advisory

    • Cisco Patches Critical Vulnerability in Firewall Management Center
    • Two Vulnerabilities in N-able’s N-central added to CISA KEV List
    • WordPress Scheduling Plugin Vulnerable to Arbitrary File Upload
    • WordPress Custom API WP Plugin Vulnerable to SQL Injection

    Cisco Patches Critical Actively Exploited Vulnerability in Firewall Management Center

    Cisco released patches for more than 20 new vulnerabilities affecting its Secure Firewall Management Center (FMC), Secure Firewall Threat Defense (FTD), and Secure Firewall Adaptive Security Appliance (ASA) products. The most concerning is CVE-2025-20265 (CVSS 10/10), which affects the FMC platform that monitors/manages the FTDs and other tools. If exploited, an unauthenticated attacker can execute code remotely within the platform. Cisco has also stated that this vulnerability is under active exploitation. CyberMaxx strongly recommends patching this urgently.

    Affected Versions

    • A full list of affected versions can be found here.

    Recommendations

    • Apply the latest patches.
    • CyberMaxx also recommends restricting FMC access to only Private/Trusted IP addresses.

    More Reading / Information

    Two Vulnerabilities in N-able’s N-central added to CISA KEV List

    N-Central is a Remote Monitoring and Management tool offered by N-able. Two vulnerabilities in the platform, CVE-2025-8875 and CVE-2025-8876, have been exploited in the wild and added to CISA’s KEV List. The technical details of these vulnerabilities have not been shared yet; however, with reports of ongoing attacks, it is highly recommended to upgrade to the latest version. This affects on-premises versions only.

    Affected Versions

    • All on-premise versions prior to 2025.3.1.

    Recommendations

    • Upgrade to N-central 2025.3.1.

    More Reading / Information

    WordPress Scheduling Plugin Vulnerable to Arbitrary File Upload

    The plugin WordPress Online Booking & Scheduling Calendar for WordPress by vcita is vulnerable to a file upload vulnerability. When exploited, a malicious actor can upload any type of file to your website, including a backdoor. This vulnerability is being tracked as CVE-2025-54677 (CVSS 9.1/10).

    Affected Versions

    • Online Booking & Scheduling Calendar for WordPress by vcita Plugin version 4.5.3 or earlier.

    Recommendations

    • Update to version 4.5.5 or later.

    More Reading / Information

    WordPress Custom API WP Plugin Vulnerable to SQL Injection

    The miniOrange Custom API plugin for WordPress contains an SQL Injection vulnerability. This flaw allows attackers to insert malicious SQL commands due to improper handling of special characters. Exploitation could allow a malicious actor full access to the database. This vulnerability is being tracked as CVE-2025-54048 (CVSS 9.3/10).

    Affected Versions

    • miniOrange Custom API version 4.2.2 or earlier.

    Recommendations

    • Update to version 4.2.3 or later.

    More Reading / Information

    Recommendations

    Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.