Activity

As this vulnerability is known to have been exploited by real attackers, the patch should be applied immediately. If you have a vulnerable device connected to the internet, as well as patching, it is important to check that the device was not already compromised using the NCSC-NL, the Dutch National Cybersecurity Centre, have produced a tool available [here](https://github.com/NCSC-NL/citrix-2025/tree/main/live-host-bash-check) which can help with this. Note that despite being marked as for an older CVE, this script is also receiving updates to check for issues relating to CVE-2025-7775.)

CVE-2025-7775 is a memory overflow vulnerability that affects Citrix NetScaler ADC and NetScaler Gateway. It can lead to remote code execution (RCE) and/or denial of service (DoS). The vulnerability exists when NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. It also affects load balancing (LB) virtual servers of types HTTP, SSL, or HTTP_QUIC bound with IPv6 services or service groups, as well as DBS IPv6 services or CR virtual server with type HDX. Exploits of this vulnerability have been observed in the wild.

Hype increased to 39

CVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR. It allows attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild. It was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. The vulnerability was exploited in phishing attacks to deliver RomCom malware. The attackers can trick the program into saving a file in a different location than the user intended, such as the computer's Startup folder. This allows the attackers to execute their own code. WinRAR patched the vulnerability in version 7.13.

Hype increased to 33

CVE-2025-7775 is a memory overflow vulnerability that affects Citrix NetScaler ADC and NetScaler Gateway. It can lead to remote code execution (RCE) and/or denial of service (DoS). The vulnerability exists when NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. It also affects load balancing (LB) virtual servers of types HTTP, SSL, or HTTP_QUIC bound with IPv6 services or service groups, as well as DBS IPv6 services or CR virtual server with type HDX. Exploits of this vulnerability have been observed in the wild.

Hype increased to 34

CVE-2025-48384 affects Git, a distributed revision control system. The vulnerability arises from how Git handles carriage return (CR) and line feed (LF) characters when reading and writing configuration values. Git strips trailing CRLF characters when reading a config value. However, when writing a config entry, values with a trailing CR are not quoted, leading to the CR being lost when the config is later read. This can lead to issues when initializing submodules. If a submodule path contains a trailing CR, the altered path (without the CR) is read, causing the submodule to be checked out to an incorrect location. If a symbolic link exists that points the altered path to the submodule's hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout, potentially leading to arbitrary code execution. This vulnerability is fixed in Git versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Hype increased to 50

CVE-2025-25257 is a critical SQL injection vulnerability found in Fortinet's FortiWeb web application firewall. This vulnerability, classified as CWE-89, stems from improper neutralization of special elements used in SQL commands. The vulnerability allows unauthenticated attackers to execute unauthorized SQL code or commands by sending crafted HTTP or HTTPS requests to the FortiWeb management interface. Successful exploitation could lead to attackers accessing sensitive data, altering database contents, or compromising backend systems.

Researchers [have](https://github.com/b1n4r1b01/n-days/blob/main/CVE-2025-43300.md) [been](https://github.com/hunters-sec/CVE-2025-43300) analysing the patch and have been able to trigger the crash within the iOS JPEG lossless decompression within RawCamera.bundle. Due to the seriousness of this vulnerability and the progress researchers have made, patches should be applied immediately. )

CVE-2025-43300 is an out-of-bounds write vulnerability that exists within Apple's Image I/O framework. The vulnerability can be triggered when a device processes a maliciously crafted image file, which can lead to memory corruption. Successful exploitation of this vulnerability can occur when a program writes data outside of an allocated memory buffer. This can result in the program crashing, data corruption, or potentially remote code execution. Apple has addressed this issue with improved bounds checking in multiple operating systems, including iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.

Vulnerability name

Citrix NetScaler Memory Overflow Vulnerability

Product

Citrix NetScaler

CVE-2025-7775 is a memory overflow vulnerability that affects Citrix NetScaler ADC and NetScaler Gateway. It can lead to remote code execution (RCE) and/or denial of service (DoS). The vulnerability exists when NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. It also affects load balancing (LB) virtual servers of types HTTP, SSL, or HTTP_QUIC bound with IPv6 services or service groups, as well as DBS IPv6 services or CR virtual server with type HDX. Exploits of this vulnerability have been observed in the wild.

Hype increased to 31

CVE-2025-9074 is a security vulnerability found in Docker Desktop that allows local Linux containers to access the Docker Engine API via the configured Docker subnet, which defaults to 192.168.65.7:2375. This vulnerability exists regardless of whether Enhanced Container Isolation (ECI) is enabled or if the "Expose daemon on tcp://localhost:2375 without TLS" option is enabled. The vulnerability allows malicious containers to bypass restrictions and directly access the Docker Engine API, potentially enabling attackers to execute privileged commands, control other containers, manage Docker images, and, in Windows environments using the Windows Subsystem for Linux (WSL) backend, mount the host drive with the permissions of the user running Docker Desktop. This can lead to a complete compromise of the host system.

Vulnerability name

Git Link Following Vulnerability

Product

Git Git

CVE-2025-48384 affects Git, a distributed revision control system. The vulnerability arises from how Git handles carriage return (CR) and line feed (LF) characters when reading and writing configuration values. Git strips trailing CRLF characters when reading a config value. However, when writing a config entry, values with a trailing CR are not quoted, leading to the CR being lost when the config is later read. This can lead to issues when initializing submodules. If a submodule path contains a trailing CR, the altered path (without the CR) is read, causing the submodule to be checked out to an incorrect location. If a symbolic link exists that points the altered path to the submodule's hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout, potentially leading to arbitrary code execution. This vulnerability is fixed in Git versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Vulnerability name

Citrix Session Recording Deserialization of Untrusted Data Vulnerability

Product

Citrix Session Recording

CVE-2024-8069 is a deserialization of untrusted data vulnerability that affects Citrix Session Recording. Exploitation of this vulnerability allows a remote threat actor to execute arbitrary code on the server. The attacker needs network access to the target system, which must have a deployed Session Recording service. The attacker must also send a malicious serialized request to the MSMQ endpoint over HTTP. This vulnerability can lead to limited remote code execution with the privilege of a NetworkService Account. An attacker who is an authenticated user on the same intranet as the session recording server can exploit this flaw.

Vulnerability name

Citrix Session Recording Improper Privilege Management Vulnerability

Product

Citrix Session Recording

CVE-2024-8068 is a security vulnerability affecting Citrix Session Recording. It involves improper privilege management, which can allow an attacker to escalate privileges to NetworkService Account access. To exploit this vulnerability, the attacker must be an authenticated user within the same Windows Active Directory domain as the session recording server. Citrix released patches in November 2024 to address this issue.

Hype increased to 50

CVE-2024-36401 is a remote code execution (RCE) vulnerability affecting GeoServer, an open-source software server that allows users to share and edit geospatial data. The vulnerability exists in versions prior to 2.22.6, 2.23.6, 2.24.4, and 2.25.2. It stems from the unsafe evaluation of property names as XPath expressions within the GeoTools library API, which GeoServer uses. This API incorrectly passes property/attribute names to the commons-jxpath library, potentially allowing the execution of arbitrary code. The vulnerability can be exploited through multiple Open Geospatial Consortium (OGC) request parameters, including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute. It is applicable to all GeoServer instances because the flawed XPath evaluation, intended for complex feature types, is mistakenly applied to simple feature types as well. A patch is available in versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2. A workaround involves removing the `gt-complex-x.y.jar` file from the GeoServer installation, although this may break some GeoServer functionality.

Hype increased to 32

CVE-2025-9074 is a security vulnerability found in Docker Desktop that allows local Linux containers to access the Docker Engine API via the configured Docker subnet, which defaults to 192.168.65.7:2375. This vulnerability exists regardless of whether Enhanced Container Isolation (ECI) is enabled or if the "Expose daemon on tcp://localhost:2375 without TLS" option is enabled. The vulnerability allows malicious containers to bypass restrictions and directly access the Docker Engine API, potentially enabling attackers to execute privileged commands, control other containers, manage Docker images, and, in Windows environments using the Windows Subsystem for Linux (WSL) backend, mount the host drive with the permissions of the user running Docker Desktop. This can lead to a complete compromise of the host system.

Hype increased to 91

CVE-2025-43300 is an out-of-bounds write vulnerability that exists within Apple's Image I/O framework. The vulnerability can be triggered when a device processes a maliciously crafted image file, which can lead to memory corruption. Successful exploitation of this vulnerability can occur when a program writes data outside of an allocated memory buffer. This can result in the program crashing, data corruption, or potentially remote code execution. Apple has addressed this issue with improved bounds checking in multiple operating systems, including iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.

Hype increased to 60

CVE-2025-43300 is an out-of-bounds write vulnerability that exists within Apple's Image I/O framework. The vulnerability can be triggered when a device processes a maliciously crafted image file, which can lead to memory corruption. Successful exploitation of this vulnerability can occur when a program writes data outside of an allocated memory buffer. This can result in the program crashing, data corruption, or potentially remote code execution. Apple has addressed this issue with improved bounds checking in multiple operating systems, including iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.