Vulnerability intelligence

CVE-2025-49113 is a remote code execution vulnerability affecting Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11. It stems from the insufficient validation of the `_from` parameter in the `program/actions/settings/upload.php` file. This lack of validation allows for PHP Object Deserialization, potentially enabling authenticated users to execute arbitrary code on the Roundcube Webmail server. The vulnerability has been addressed in Roundcube Webmail versions 1.5.10 and 1.6.11.

CVE-2025-49144 is a privilege escalation vulnerability found in Notepad++ version 8.8.1 and prior. It stems from the installer's insecure handling of executable search paths, which could allow an attacker to gain SYSTEM-level privileges. The vulnerability exists because the installer searches for executable dependencies in the current working directory without proper validation. An attacker could exploit this by using social engineering or clickjacking to trick a user into downloading both the legitimate Notepad++ installer and a malicious executable into the same directory (often the Downloads folder). When the user runs the installer, the malicious executable would be loaded and executed with SYSTEM privileges, granting the attacker control over the system. This issue has been addressed in Notepad++ version 8.8.2 by enforcing absolute paths for critical operations.

CVE-2025-6019 is a local privilege escalation (LPE) vulnerability found in the libblockdev library. It can be exploited by accessing the udisks2 daemon, which manages storage devices, if an attacker gains the privileges of an active user (allow_active). This vulnerability exists because udisks mounts user-provided filesystem images with security flags to prevent privilege escalation. A local attacker can create a specially crafted XFS image containing a SUID-root shell and trick udisks into resizing it. This action mounts the malicious filesystem with root privileges, allowing the attacker to execute their SUID-root shell and gain complete control of the system. The vulnerability is triggered because the mount is performed without enforcing `nosuid` or `nodev` options.

CVE-2023-0386 is a flaw found in the Linux kernel's OverlayFS subsystem. It involves unauthorized access to the execution of a setuid file with capabilities. Specifically, the vulnerability lies in how a user copies a capable file from a nosuid mount into another mount. This "uid mapping bug" allows a local user to escalate their privileges on the system. The kernel fails to check if the user/group owning a file copied from the overlay file system to the 'upper' directory is mapped in the current user namespace. This can be exploited to create a SUID binary owned by root, allowing an unprivileged user to gain elevated privileges.

CVE-2023-33538 is a command injection vulnerability found in TP-Link routers, specifically the TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 models. The vulnerability exists within the `/userRpm/WlanNetworkRpm` component. This vulnerability allows an attacker to inject arbitrary commands into the system by manipulating an unknown input. Successful exploitation could lead to a compromise of confidentiality, integrity, and availability of the affected device. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation in the wild.

CVE-2025-43200 is a vulnerability related to how Apple devices process maliciously crafted photos or videos shared via iCloud Link. A logic issue existed that could be exploited through a zero-click attack, meaning it could be triggered without any user interaction. Apple has acknowledged that this vulnerability may have been used in targeted attacks against specific individuals. The vulnerability was addressed with improved checks in iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1, released on February 10, 2025. Citizen Lab has found forensic evidence that this vulnerability was leveraged to deploy Paragon's Graphite spyware against journalists.