Vulnerability intelligence

CVE-2024-30088 is an elevation of privilege vulnerability in the Windows Kernel. It is a Time-Of-Check Time-Of-Use (TOCTOU) race condition, meaning that the state of a resource can change between when it is checked and when it is used, which can lead to unexpected actions. An attacker can exploit this vulnerability to run code with elevated privileges on a vulnerable system. This vulnerability has been actively exploited in the wild, including by the OilRig APT group, which is known for cyber espionage. Successful exploitation could allow an attacker to gain complete control over the affected system. It is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, which requires timely patching.

CVE-2025-42957 is a code injection vulnerability affecting SAP S/4HANA, specifically its function module exposed via RFC. It allows an attacker with user privileges to inject arbitrary ABAP code into the system, bypassing authorization checks. This vulnerability can be exploited by an authenticated attacker with valid SAP credentials and S_RFC authorizations by invoking a vulnerable function module and supplying crafted input that is directly used in dynamic ABAP code execution constructs. Successful exploitation of CVE-2025-42957 can lead to a complete system compromise, undermining the confidentiality, integrity, and availability of the system. This includes the potential to modify the SAP database, create superuser accounts, download password hashes, and alter business processes. SecurityBridge has verified that the exploit is being used in the wild.

CVE-2025-52856 is an improper authentication vulnerability affecting VioStor. A remote attacker can exploit this vulnerability to compromise the security of the system. Successful exploitation allows an attacker to gain unauthorized access to an application, service, or device. No privileges or user interaction are required for exploitation. The vulnerability has been fixed in VioStor version 5.1.6 build 20250621 and later.

CVE-2025-53690 is a ViewState deserialization vulnerability affecting Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. The vulnerability stems from the reuse of a sample ASP.NET machine key that was included in official Sitecore deployment guides prior to 2017 and, in some instances, mistakenly implemented in production environments. Attackers who possess this key can create malicious __VIEWSTATE payloads, bypassing validation and enabling code execution on the targeted server. This turns a misconfiguration into a Remote Code Execution (RCE) vector. The initial compromise can grant attackers access under the NETWORK SERVICE account. The WEEPSTEEL malware may be deployed to gather system, network, and user information.

CVE-2025-48543 is a vulnerability affecting the Android Runtime (ART), which is responsible for running applications on Android devices. This vulnerability could allow a local attacker to gain elevated privileges without requiring user interaction. Exploitation attempts of CVE-2025-48543 have been observed. The vulnerability stems from a use-after-free issue that could allow an attacker to escape the Chrome sandbox and attack the Android system server. Google has released security updates for Android-powered devices, including fixes for CVE-2025-48543.

CVE-2025-38352 is a vulnerability that exists in the Linux kernel, specifically within the handling of POSIX CPU timers. The vulnerability stems from a race condition between `handle_posix_cpu_timers()` and `posix_cpu_timer_del()`. This race condition can occur when a non-autoreaping task that is exiting has already passed `exit_notify()` and calls `handle_posix_cpu_timers()` from an interrupt request (IRQ). If a concurrent `posix_cpu_timer_del()` runs at the same time, it might not detect that `timer->it.cpu.firing != 0`, which can cause `cpu_timer_task_rcu()` and/or `lock_task_sighand()` to fail. This vulnerability can be exploited to gain elevated privileges on Android devices.