CVE Trends

CVE-2025-31200 is a memory corruption vulnerability that exists in Apple's CoreAudio framework. This vulnerability can be triggered when processing an audio stream within a maliciously crafted media file. Successful exploitation of this vulnerability could allow for arbitrary code execution on the affected device. Apple has addressed this issue with improved bounds checking in tvOS 18.4.1, visionOS 2.4.1, iOS and iPadOS 18.4.1, and macOS Sequoia 15.4.1. It was reported that this vulnerability may have been exploited in targeted attacks against specific individuals.

CVE-2025-37899 is a use-after-free vulnerability found in the ksmbd component of the Linux kernel, which is an in-kernel server implementing the SMB3 protocol for file sharing over networks. Specifically, the vulnerability exists in the session logoff handler. The vulnerability occurs because the `sess->user` object can be freed by one thread processing a logoff command while another thread, handling a new connection's session setup request, might still be accessing the same `sess->user` object. This concurrent access can lead to memory corruption and potentially allow attackers to execute arbitrary code with kernel privileges.

CVE-2025-4428 is a remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device. The vulnerability is associated with an open-source library integrated into EPMM. Ivanti released a security advisory on May 13, 2025, to address this vulnerability, along with an authentication bypass vulnerability (CVE-2025-4427). It was found that chaining the two vulnerabilities together could lead to unauthenticated remote code execution. Ivanti is aware of a limited number of customers whose systems have been exploited.

CVE-2025-0072 is a use-after-free vulnerability found in the Arm Ltd Valhall GPU Kernel Driver and Arm 5th Gen GPU Architecture Kernel Driver. It allows a local, non-privileged user process to perform improper GPU memory processing operations, potentially gaining access to memory that has already been freed. This vulnerability affects the Valhall GPU Kernel Driver versions r29p0 through r49p3, and r50p0 through r53p0, as well as the Arm 5th Gen GPU Architecture Kernel Driver versions r41p0 through r49p3, and r50p0 through r53p0. It was patched in Mali driver version r54p0, released on May 2, 2025, and was included in Android's May 2025 security update.

CVE-2025-32756 is a stack-based buffer overflow vulnerability that affects multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code or commands by sending specially crafted HTTP requests. Fortinet has observed active exploitation of this vulnerability in the wild, specifically targeting FortiVoice systems. During the exploitation of CVE-2025-32756, threat actors have been observed performing network scans, deleting system crash logs to conceal their activity, and enabling 'fcgi debugging' to log credentials. Additionally, they have been seen deploying malware, establishing cron jobs to harvest credentials, and using scripts to conduct network reconnaissance on compromised devices.

CVE-2025-37891 is a buffer overflow vulnerability found in the Linux kernel's ALSA (Advanced Linux Sound Architecture) UMP (Universal MIDI Packet) subsystem. Specifically, the issue lies within the MIDI 1.0 to UMP packet conversion function. The internal buffer, intended to hold incoming MIDI bytes, is only 4 bytes in size. This buffer size is insufficient for handling SysEx messages, which can be up to 6 bytes long. Consequently, when a SysEx message exceeding 4 bytes is received, a buffer overflow occurs, potentially leading to memory corruption. A patch has been implemented to resolve this vulnerability by extending the buffer size to 6 bytes to properly accommodate SysEx UMP messages.

CVE-2025-3928 is an unspecified vulnerability in the Commvault Web Server. It allows a remote, authenticated attacker to create and execute webshells on the affected server. The vulnerability can be exploited by any authenticated remote user, without requiring administrative privileges. CISA has added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog and recommends applying available vendor mitigations. Patches are available for Windows and Linux platforms in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217.

CVE-2025-40775 affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7. The vulnerability arises when BIND encounters an incoming DNS protocol message that includes a Transaction Signature (TSIG). Specifically, the vulnerability triggers when the TSIG contains an invalid value in the algorithm field. In such cases, BIND immediately aborts with an assertion failure.

CVE-2023-20118 is a vulnerability affecting the web-based management interface of several Cisco Small Business Routers, including RV016, RV042, RV042G, RV082, RV320, and RV325 models. It stems from improper validation of user input within incoming HTTP packets. An attacker with valid administrative credentials could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. Successful exploitation could allow the attacker to execute arbitrary commands on the device and gain unauthorized access to data. Cisco has stated they will not release software updates to address this vulnerability.

CVE-2025-37778 is a use-after-free vulnerability found in the Linux kernel's ksmbd component, specifically within the Kerberos authentication pathway during remote client session setups. The vulnerability arises when the `krb_authenticate` function frees `sess->user` but doesn't set the pointer to NULL. Subsequently, `ksmbd_krb5_authenticate` might not reinitialize `sess->user`, leading `smb2_sess_setup` to access freed memory when using `sess->user`. This flaw can lead to memory corruption, potentially allowing an attacker to execute arbitrary code with kernel privileges. The vulnerability affects multiple versions of the Linux kernel, and distributions like SUSE are actively working on providing patches.