Vulnerability intelligence

CVE-2025-68947 is a driver vulnerability found in NSecsoft's NSecKrnl Windows driver. This flaw allows a local, authenticated attacker to terminate processes belonging to other users, including those running as SYSTEM or designated as Protected Processes. This is achieved by sending specially crafted Input/Output Control (IOCTL) requests to the driver. The vulnerability is categorized under CWE-862 (Missing Authorization), indicating that the NSecKrnl driver fails to properly validate the authorization of requests to terminate processes. This issue presents a "Bring Your Own Vulnerable Driver" (BYOVD) attack surface, which can be leveraged by threat actors to disable endpoint security solutions and other critical system processes. For instance, the Black Basta ransomware has been observed utilizing this vulnerability.

CVE-2025-1974 is a vulnerability within the Ingress NGINX Controller for Kubernetes, specifically affecting the admission controller component. This flaw falls under a group of vulnerabilities collectively known as "IngressNightmare." The vulnerability arises because the admission controllers are accessible over the network without authentication. By sending a malicious ingress object directly to the admission controller, an attacker can inject arbitrary NGINX configurations. This results in code execution on the Ingress NGINX Controller's pod, potentially granting unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster, which could lead to a complete cluster takeover.

CVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR. It allows attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild. It was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. The vulnerability was exploited in phishing attacks to deliver RomCom malware. The attackers can trick the program into saving a file in a different location than the user intended, such as the computer's Startup folder. This allows the attackers to execute their own code. WinRAR patched the vulnerability in version 7.13.

CVE-2026-24423 is an unauthenticated remote code execution vulnerability found in SmarterTools SmarterMail versions prior to build 9511. The flaw resides within the `ConnectToHub` API method, which lacks proper authentication controls. An attacker can exploit this vulnerability by directing the vulnerable SmarterMail instance to connect to a malicious HTTP server. This malicious server then delivers operating system commands, which are subsequently executed by the SmarterMail application. This vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog and is reportedly being exploited in the wild, including in ransomware campaigns.

CVE-2025-11953 is a vulnerability in the `@react-native-community/cli` NPM package, specifically affecting versions 4.8.0 through 20.0.0-alpha.2. This flaw stems from the Metro development server, used by React Native, binding to external interfaces by default and exposing an "/open-url" endpoint susceptible to OS command injection. The vulnerability allows unauthenticated network attackers to send a POST request to the server, running arbitrary executables. On Windows, attackers can execute arbitrary shell commands with fully controlled arguments. While macOS and Linux systems have slightly more restricted exploitation paths, researchers believe arbitrary command execution is achievable. The package has been patched in version 20.0.0.

CVE-2025-40551 is a remote code execution (RCE) vulnerability identified in SolarWinds Web Help Desk (WHD) software. This flaw originates from an untrusted data deserialization weakness, which allows an attacker to execute commands on the host machine. Exploitation of CVE-2025-40551 can occur without requiring authentication. This vulnerability is often discussed alongside other related issues in SolarWinds WHD, forming potential attack chains.