CVE Trends

CVE-2025-3928 is an unspecified vulnerability in the Commvault Web Server. It allows a remote, authenticated attacker to create and execute webshells on the affected server. The vulnerability can be exploited by any authenticated remote user, without requiring administrative privileges. CISA has added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog and recommends applying available vendor mitigations. Patches are available for Windows and Linux platforms in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217.

CVE-2025-37899 is a use-after-free vulnerability found in the ksmbd component of the Linux kernel, which is an in-kernel server implementing the SMB3 protocol for file sharing over networks. Specifically, the vulnerability exists in the session logoff handler. The vulnerability occurs because the `sess->user` object can be freed by one thread processing a logoff command while another thread, handling a new connection's session setup request, might still be accessing the same `sess->user` object. This concurrent access can lead to memory corruption and potentially allow attackers to execute arbitrary code with kernel privileges.

CVE-2025-4123 is a cross-site scripting (XSS) vulnerability found in Grafana. It stems from a combination of client path traversal and an open redirect issue within the handling of custom frontend plugins. This flaw allows attackers to redirect users to malicious websites and execute arbitrary JavaScript code. The vulnerability is particularly concerning because it can be exploited even without editor permissions, especially if anonymous access is enabled in Grafana. Furthermore, if the Grafana Image Renderer plugin is installed, the vulnerability can be escalated to a full read Server-Side Request Forgery (SSRF), potentially exposing internal services and cloud metadata. All supported versions of Grafana OSS and Grafana Enterprise, starting from Grafana 8 are affected.

CVE-2025-4427 is an authentication bypass vulnerability found in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and prior. It exists in the API component of the software. This vulnerability allows attackers to access protected resources without proper credentials via the API.

CVE-2025-32756 is a stack-based buffer overflow vulnerability that affects multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code or commands by sending specially crafted HTTP requests. Fortinet has observed active exploitation of this vulnerability in the wild, specifically targeting FortiVoice systems. During the exploitation of CVE-2025-32756, threat actors have been observed performing network scans, deleting system crash logs to conceal their activity, and enabling 'fcgi debugging' to log credentials. Additionally, they have been seen deploying malware, establishing cron jobs to harvest credentials, and using scripts to conduct network reconnaissance on compromised devices.

CVE-2023-20118 is a vulnerability affecting the web-based management interface of several Cisco Small Business Routers, including RV016, RV042, RV042G, RV082, RV320, and RV325 models. It stems from improper validation of user input within incoming HTTP packets. An attacker with valid administrative credentials could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. Successful exploitation could allow the attacker to execute arbitrary commands on the device and gain unauthorized access to data. Cisco has stated they will not release software updates to address this vulnerability.

CVE-2025-26817 is an OS command injection vulnerability found in Netwrix Password Secure version 9.2.0.32454. The vulnerability allows an attacker to execute arbitrary operating system commands on the affected system. Successful exploitation could lead to unauthorized access, data theft, system compromise, and potentially using the system as a launching point for further network attacks. An authenticated attacker can create a malformed shared document which when opened by the target user can result in arbitrary code execution.

CVE-2025-40775 affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7. The vulnerability arises when BIND encounters an incoming DNS protocol message that includes a Transaction Signature (TSIG). Specifically, the vulnerability triggers when the TSIG contains an invalid value in the algorithm field. In such cases, BIND immediately aborts with an assertion failure.

CVE-2025-31200 is a memory corruption vulnerability that exists in Apple's CoreAudio framework. This vulnerability can be triggered when processing an audio stream within a maliciously crafted media file. Successful exploitation of this vulnerability could allow for arbitrary code execution on the affected device. Apple has addressed this issue with improved bounds checking in tvOS 18.4.1, visionOS 2.4.1, iOS and iPadOS 18.4.1, and macOS Sequoia 15.4.1. It was reported that this vulnerability may have been exploited in targeted attacks against specific individuals.

CVE-2025-4428 is a remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device. The vulnerability is associated with an open-source library integrated into EPMM. Ivanti released a security advisory on May 13, 2025, to address this vulnerability, along with an authentication bypass vulnerability (CVE-2025-4427). It was found that chaining the two vulnerabilities together could lead to unauthenticated remote code execution. Ivanti is aware of a limited number of customers whose systems have been exploited.