2025.08

Features & Enhancements

New Rapid Response cards and tests were released to quickly assess exposure to several prominent vulnerabilities:

Xerox FreeFlow Core (CVE-2025-8356): Path traversal vulnerability in Xerox FreeFlow Core workflow automation that could allow remote code execution by unauthenticated attackers.
Fortinet FortiSIEM (CVE-2025-25256): Unauthenticated OS command injection via crafted CLI requests (phMonitor/TCP 7900) enabling remote code execution.
Citrix NetScaler ADC & Gateway (CVE-2025-7776): Memory overflow flaw that can trigger denial of service on appliances configured as Gateway/AAA with a PCoIP profile (not RCE).
CrushFTP (CVE-2025-54309): AS2 validation flaw allowing attackers to bypass authentication and obtain admin access via HTTPS; DMZ proxy setups are not affected.

UI Enhancements for Rapid Response

CVE aliases (e.g., CitrixBleed2 for CVE-2025-5777) are now displayed for clarity.
CVE IDs are shown alongside H3 Weakness IDs, making it easier to correlate NodeZero findings with public CVE disclosures.

Cisco HyperFlex HX (CVE-2021-1498): Critical vulnerability in Cisco HyperFlex software where improper input validation allows unauthenticated remote attackers to execute arbitrary commands as the root user.
Active Directory Enhancements:
Expanded domain trust enumeration capabilities.
Support for cross-domain attacks such as the Golden Ticket technique.
Smarter extraction of passwords from AD attributes to strengthen privilege escalation paths.
Updated CVE-2024-8069 (Citrix Session Recording) and CVE-2025-20281 (Cisco ISE/ISE-PIC) to reflect their addition to the CISA KEV list.

Added a “child of” indicator in account settings for clearer hierarchy mapping.
Subclient assets now display directly on the asset page for improved visibility.

Minor visual refinements and consistency improvements across client management views.