Activity

Latest CVE events and analysis as they emerge

  1. CVE-2025-33053

    10 Jun 2025, 00:00

    Windows WebDAV Client

    Added to CISA KEV catalog

    Vulnerability name
    Web Distributed Authoring and Versioning (WebDAV) External Control of File Name or Path Vulnerability
    Product
    Web Distributed Authoring and Versioning Web Distributed Authoring and Versioning (WebDAV)

    CVE-2025-33053 is a remote code execution vulnerability affecting the WebDAV client in Microsoft Windows. It stems from insufficient input validation in WebDAV file path handling, allowing an attacker to execute arbitrary code over a network. Successful exploitation requires a user to click on a specially crafted WebDAV URL, potentially leading to unauthorized access to sensitive system resources, compromise of system integrity and confidentiality, or even full control of the affected system. This vulnerability has been actively exploited in the wild.

  2. CVE-2025-24016

    10 Jun 2025, 00:00

    Wazuh

    Added to CISA KEV catalog

    Vulnerability name
    Wazuh Server Deserialization of Untrusted Data Vulnerability
    Product
    Wazuh Wazuh Server

    CVE-2025-24016 is a critical remote code execution (RCE) vulnerability found in the Wazuh security platform, versions 4.4.0 through 4.9.0. It allows attackers to execute arbitrary code on affected Wazuh servers. The vulnerability arises from unsafe deserialization of DistributedAPI (DAPI) parameters. These parameters are serialized as JSON and then deserialized using the `as_wazuh_object` function. Attackers can exploit this by injecting a malicious, unsanitized dictionary into a DAPI request or response, leading to the execution of arbitrary Python code. This vulnerability can be exploited by anyone with API access, potentially including compromised dashboards, other Wazuh servers within a cluster, or even compromised agents, depending on the configuration. Wazuh has addressed this vulnerability in version 4.9.1. Users are strongly encouraged to update to this version to mitigate the risk of exploitation.

  3. CVE-2025-32433

    09 Jun 2025, 00:00

    OTPErlang

    Added to CISA KEV catalog

    Vulnerability name
    Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability
    Product
    Erlang Erlang/OTP

    CVE-2025-32433 is a vulnerability found in the Erlang/OTP SSH server. It stems from a flaw in the SSH protocol message handling, which allows an attacker with network access to execute arbitrary code on the server without authentication. Specifically, the vulnerability enables a malicious actor to send connection protocol messages before authentication takes place. Successful exploitation could lead to full compromise of the host, unauthorized access, manipulation of sensitive data, or denial-of-service attacks.

  4. CVE-2024-42009

    09 Jun 2025, 00:00

    Roundcube

    Added to CISA KEV catalog

    Vulnerability name
    RoundCube Webmail Cross-Site Scripting Vulnerability
    Product
    Roundcube Webmail

    CVE-2024-42009 is a Cross-Site Scripting (XSS) vulnerability affecting Roundcube webmail software, specifically versions 1.5.7 and 1.6.x up to 1.6.7. It stems from a flaw in the `message_body()` function within the `program/actions/mail/show.php` file, where a desanitization issue can be exploited. This vulnerability allows a remote attacker to steal and send emails of a victim by sending a specially crafted email message. When a user views this malicious email in Roundcube, the attacker can execute arbitrary JavaScript in the victim's browser, potentially gaining persistent access to exfiltrate emails or steal passwords.

  5. CVE-2025-5419

    05 Jun 2025, 00:00

    Google Chrome V8

    Added to CISA KEV catalog

    Vulnerability name
    Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
    Product
    Google Chromium V8

    CVE-2025-5419 is an out-of-bounds read and write vulnerability found in the V8 JavaScript and WebAssembly engine of Google Chrome. Specifically, it affects Google Chrome versions prior to 137.0.7151.68. According to the NIST's National Vulnerability Database (NVD), this vulnerability could allow a remote attacker to potentially exploit heap corruption through a crafted HTML page. The vulnerability was reported to Google on May 27, 2025, by Clement Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG). Google has confirmed that an exploit for CVE-2025-5419 exists in the wild and has released a security update to address the issue. A configuration change was pushed to the Stable version of Chrome across all platforms on May 28, 2025, to mitigate the bug.

  6. CVE-2025-27038

    03 Jun 2025, 00:00

    QualcommAdreno

    Added to CISA KEV catalog

    Vulnerability name
    Qualcomm Multiple Chipsets Use-After-Free Vulnerability
    Product
    Qualcomm Multiple Chipsets

    CVE-2025-27038 is a use-after-free vulnerability found in the Graphics component of Qualcomm's Adreno GPU drivers. This vulnerability can lead to memory corruption while rendering graphics, specifically when using the Adreno GPU drivers in Chrome. Qualcomm has released patches for this vulnerability, along with CVE-2025-21479 and CVE-2025-21480, and recommends that OEMs deploy the updates to affected devices as soon as possible. There are indications that CVE-2025-27038 may be under limited, targeted exploitation.

  7. CVE-2025-21480

    03 Jun 2025, 00:00

    AdrenoQualcomm

    Added to CISA KEV catalog

    Vulnerability name
    Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
    Product
    Qualcomm Multiple Chipsets

    CVE-2025-21480 is an incorrect authorization vulnerability found in Qualcomm's Adreno GPU driver, specifically within the Graphics component. This flaw can lead to memory corruption due to unauthorized command execution in the GPU microcode when a specific sequence of commands is processed. The vulnerability is one of three zero-day flaws that were actively exploited in targeted attacks. Patches for this issue have been made available to OEMs, with a strong recommendation to deploy the update on affected devices as soon as possible.

  8. CVE-2025-21479

    03 Jun 2025, 00:00

    AdrenoQualcomm

    Added to CISA KEV catalog

    Vulnerability name
    Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
    Product
    Qualcomm Multiple Chipsets

    CVE-2025-21479 is an incorrect authorization vulnerability found in the Graphics component of Qualcomm's Adreno GPU driver. This flaw can lead to memory corruption due to unauthorized command execution in the GPU microcode when a specific sequence of commands is processed. Successful exploitation of CVE-2025-21479 could allow attackers to execute unauthorized commands, potentially corrupting system memory. Qualcomm has released patches for this vulnerability and recommends that OEMs deploy the updates to affected devices as soon as possible. There are indications that this vulnerability may be under limited, targeted exploitation.

  9. CVE-2025-3935

    02 Jun 2025, 00:00

    ScreenConnect

    Added to CISA KEV catalog

    Vulnerability name
    ConnectWise ScreenConnect Improper Authentication Vulnerability
    Product
    ConnectWise ScreenConnect

    CVE-2025-3935 affects ScreenConnect versions 25.2.3 and earlier. It is a ViewState code injection vulnerability in ASP.NET Web Forms. The ViewState feature is used to preserve the state of pages and controls, with data encoded in Base64 and protected by machine keys. If an attacker gains privileged system-level access and compromises these machine keys, they could create and send malicious ViewState data to the website. This could potentially lead to remote code execution on the server. ScreenConnect version 25.2.4 disables ViewState to remove any dependency on it.

  10. CVE-2025-35939

    02 Jun 2025, 00:00

    Craft CMS

    Added to CISA KEV catalog

    Vulnerability name
    Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
    Product
    Craft CMS Craft CMS

    CVE-2025-35939 affects Craft CMS, where unauthenticated users can store arbitrary content in session files. This is due to the CMS storing return URLs without proper sanitization. When an unauthenticated request is redirected to the login page, Craft CMS generates a session file at `/var/lib/php/sessions` named `sess_[session_value]`, with the session value provided to the client via a Set-Cookie header. An unauthenticated attacker could inject arbitrary values, including potentially malicious PHP code, into a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this vulnerability by implementing proper sanitization of return URLs before they are saved to the PHP session.

  11. CVE-2024-56145

    02 Jun 2025, 00:00

    Craft CMS

    Added to CISA KEV catalog

    Vulnerability name
    Craft CMS Code Injection Vulnerability
    Product
    Craft CMS Craft CMS

    CVE-2024-56145 is a remote code execution (RCE) vulnerability affecting Craft CMS. It exists in versions 5.0.0-RC1 to 5.5.2 (excluding 5.5.2), 4.0.0-RC1 to 4.13.2 (excluding 4.13.2), and 3.0.0 to 3.9.14 (excluding 3.9.14). The vulnerability is triggered when the PHP configuration setting `register_argc_argv` is enabled, which is the default in the official Craft CMS docker image. An attacker can exploit this vulnerability to achieve unauthenticated remote code execution by manipulating paths such as `--templatesPath` or `--configPath`, forcing the CMS to load arbitrary files. A successful exploit could lead to complete system compromise, potentially through the use of template files loaded via FTP, bypassing the CMS's built-in sandboxing.

  12. CVE-2023-39780

    02 Jun 2025, 00:00

    RT-AX55ASUS

    Added to CISA KEV catalog

    Vulnerability name
    ASUS RT-AX55 Routers OS Command Injection Vulnerability
    Product
    ASUS RT-AX55 Routers

    CVE-2023-39780 is a command injection vulnerability found in ASUS RT-AX55 routers, specifically version 3.0.0.4.386.51598. It allows authenticated attackers to execute arbitrary commands on the system. The vulnerability exists in the handling of user input, which enables attackers to inject and execute commands with elevated privileges. Successful exploitation of CVE-2023-39780 can lead to unauthorized actions and data breaches. Attackers have been observed exploiting this vulnerability, along with other authentication bypass techniques, to gain persistent access to ASUS routers, enabling SSH access and disabling logging to maintain a stealthy backdoor.

  13. CVE-2021-32030

    02 Jun 2025, 00:00

    ASUSGT-AC2900

    Added to CISA KEV catalog

    Vulnerability name
    ASUS Routers Improper Authentication Vulnerability
    Product
    ASUS Routers

    CVE-2021-32030 is an authentication bypass vulnerability affecting ASUS GT-AC2900 devices before version 3.0.0.4.386.42643 and Lyra Mini devices before version 3.0.0.4_384_46630. The vulnerability stems from how the administrator application processes remote input from unauthenticated users. Specifically, the vulnerability allows an attacker to gain unauthorized access to the administrator interface. This is because an attacker-supplied null byte ('\0') can match the device's default null byte value in certain situations during the authentication process. Successful exploitation could allow attackers to modify router settings, intercept network traffic, and potentially install malicious firmware.

  14. CVE-2025-4632

    22 May 2025, 00:00

    Samsung MagicINFO

    Added to CISA KEV catalog

    Vulnerability name
    Samsung MagicINFO 9 Server Path Traversal Vulnerability
    Product
    Samsung MagicINFO 9 Server

    CVE-2025-4632 is a path traversal vulnerability affecting Samsung MagicINFO 9 Server versions before 21.1052. The vulnerability stems from an improper limitation of a pathname to a restricted directory, which allows attackers to write arbitrary files with system authority. This can lead to remote code execution if specially crafted JavaServer Pages (JSP) files are uploaded. The vulnerability has been actively exploited in the wild and is considered a patch bypass for CVE-2024-7399, another path traversal flaw in the same product. Exploitation of CVE-2025-4632 has been linked to the deployment of the Mirai botnet in some instances. Samsung has released software updates to address this vulnerability.

  15. CVE-2025-4428

    19 May 2025, 00:00

    Ivanti EPMM

    Added to CISA KEV catalog

    Vulnerability name
    Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
    Product
    Ivanti Endpoint Manager Mobile (EPMM)

    CVE-2025-4428 is a remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device. The vulnerability is associated with an open-source library integrated into EPMM. Ivanti released a security advisory on May 13, 2025, to address this vulnerability, along with an authentication bypass vulnerability (CVE-2025-4427). It was found that chaining the two vulnerabilities together could lead to unauthenticated remote code execution. Ivanti is aware of a limited number of customers whose systems have been exploited.

  16. CVE-2025-4427

    19 May 2025, 00:00

    Ivanti EPMM

    Added to CISA KEV catalog

    Vulnerability name
    Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
    Product
    Ivanti Endpoint Manager Mobile (EPMM)

    CVE-2025-4427 is an authentication bypass vulnerability found in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and prior. It exists in the API component of the software. This vulnerability allows attackers to access protected resources without proper credentials via the API.

  17. CVE-2025-27920

    19 May 2025, 00:00

    Output Messenger

    Added to CISA KEV catalog

    Vulnerability name
    Srimax Output Messenger Directory Traversal Vulnerability
    Product
    Srimax Output Messenger

    CVE-2025-27920 is a directory traversal vulnerability that affects Output Messenger version 2.0.62 and earlier. This vulnerability allows authenticated attackers to upload malicious files into the server's startup directory by using "../" sequences in parameters to access files outside the intended directory. Successful exploitation of this vulnerability could allow attackers to access sensitive files, potentially leading to configuration leakage or arbitrary file access. It was discovered that a threat actor named Marbled Dust exploited this vulnerability in a cyber espionage campaign, targeting the Kurdish military operating in Iraq. Output Messenger released version 2.0.63 in late December 2024 to address this vulnerability.

  18. CVE-2024-27443

    19 May 2025, 00:00

    Zimbra ZCS

    Added to CISA KEV catalog

    Vulnerability name
    Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
    Product
    Synacor Zimbra Collaboration Suite (ZCS)

    CVE-2024-27443 is a Cross-Site Scripting (XSS) vulnerability found in the CalendarInvite feature of the Zimbra Collaboration Suite (ZCS) classic webmail interface. This vulnerability exists because of improper input validation when handling the calendar header in email messages. An attacker can exploit this flaw by sending a specially crafted email containing a malicious calendar header with an embedded XSS payload. When a user views the email in the Zimbra classic web interface, the malicious code is executed within their browser, potentially allowing the attacker to compromise the user's session and execute arbitrary JavaScript code.

  19. CVE-2024-11182

    19 May 2025, 00:00

    MDaemon Email Server

    Added to CISA KEV catalog

    Vulnerability name
    MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
    Product
    MDaemon Email Server

    CVE-2024-11182 is a cross-site scripting (XSS) vulnerability found in MDaemon Email Server versions prior to 24.5.1c. The vulnerability arises from insufficient sanitization of user-supplied data when handling IMG tags in email messages. An attacker can exploit this vulnerability by sending a specially crafted HTML email containing JavaScript code within an `<img>` tag. If the recipient opens the email, the malicious JavaScript code could execute within the context of their webmail browser window, potentially leading to unauthorized actions or information disclosure.

  20. CVE-2023-38950

    19 May 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    ZKTeco BioTime Path Traversal Vulnerability
    Product
    ZKTeco BioTime

    A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.

  21. CVE-2025-4664

    15 May 2025, 00:00

    Google Chrome

    Added to CISA KEV catalog

    Vulnerability name
    Google Chromium Loader Insufficient Policy Enforcement Vulnerability
    Product
    Google Chromium

    CVE-2025-4664 is a vulnerability affecting Google Chrome's Loader component. The vulnerability stems from insufficient policy enforcement, which allows a remote attacker to potentially leak cross-origin data by using a crafted HTML page. The vulnerability was discovered by security researcher Vsevolod Kokorin (@slonser_) and reported on May 5, 2025. Google has released updates to address this issue in Chrome versions 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux. It is recommended that users update their Chrome browsers to these versions to mitigate the risk.

  22. CVE-2025-42999

    15 May 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    SAP NetWeaver Deserialization Vulnerability
    Product
    SAP NetWeaver

    SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

  23. CVE-2024-12987

    15 May 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    DrayTek Vigor Routers OS Command Injection Vulnerability
    Product
    DrayTek Vigor Routers

    A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

  24. CVE-2025-32756

    14 May 2025, 00:00

    FortinetFortiVoice

    Added to CISA KEV catalog

    Vulnerability name
    Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability
    Product
    Fortinet Multiple Products

    CVE-2025-32756 is a stack-based buffer overflow vulnerability that affects multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code or commands by sending specially crafted HTTP requests. Fortinet has observed active exploitation of this vulnerability in the wild, specifically targeting FortiVoice systems. During the exploitation of CVE-2025-32756, threat actors have been observed performing network scans, deleting system crash logs to conceal their activity, and enabling 'fcgi debugging' to log credentials. Additionally, they have been seen deploying malware, establishing cron jobs to harvest credentials, and using scripts to conduct network reconnaissance on compromised devices.

  25. CVE-2025-32706

    13 May 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
    Product
    Microsoft Windows

    Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

  26. CVE-2025-32701

    13 May 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
    Product
    Microsoft Windows

    Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

  27. CVE-2025-30400

    13 May 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    Microsoft Windows DWM Core Library Use-After-Free Vulnerability
    Product
    Microsoft Windows

    Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.

  28. CVE-2025-30397

    13 May 2025, 00:00

    Microsoft Scripting Engine

    Added to CISA KEV catalog

    Vulnerability name
    Microsoft Windows Scripting Engine Type Confusion Vulnerability
    Product
    Microsoft Windows

    CVE-2025-30397 is a memory corruption vulnerability within the Microsoft Scripting Engine. Exploitation of this vulnerability could allow an attacker to execute arbitrary code on an affected system. To successfully exploit this vulnerability, a user must click on a specially crafted link, often delivered through a malicious website or script. The vulnerability stems from the scripting engine misinterpreting object types, leading to memory corruption. Notably, successful exploitation requires the target to be running Microsoft Edge in Internet Explorer mode. This vulnerability has been actively exploited in the wild as a zero-day.

  29. CVE-2025-32709

    13 May 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability
    Product
    Microsoft Windows

    Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

  30. CVE-2025-47729

    12 May 2025, 00:00

    TeleMessage

    Added to CISA KEV catalog

    Vulnerability name
    TeleMessage TM SGNL Hidden Functionality Vulnerability
    Product
    TeleMessage TM SGNL

    CVE-2025-47729 is a vulnerability found in the TeleMessage TM SGNL application. The archiving backend of TeleMessage stores cleartext copies of messages from TM SGNL app users. This differs from the vendor's documentation, which describes "End-to-End encryption from the mobile phone through to the corporate archive". This vulnerability was exploited in the wild in May 2025. The vulnerability means that unauthorized individuals with high-privilege access could potentially view sensitive message contents in plaintext. This could compromise user privacy and corporate communication confidentiality because the messages were expected to be securely encrypted.

  31. CVE-2024-6047

    07 May 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    GeoVision Devices OS Command Injection Vulnerability
    Product
    GeoVision Multiple Devices

    Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.

  32. CVE-2024-11120

    07 May 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    GeoVision Devices OS Command Injection Vulnerability
    Product
    GeoVision Multiple Devices

    Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.

  33. CVE-2025-27363

    06 May 2025, 00:00

    FreeType

    Added to CISA KEV catalog

    Vulnerability name
    FreeType Out-of-Bounds Write Vulnerability
    Product
    FreeType FreeType

    CVE-2025-27363 is a vulnerability found in FreeType versions 2.13.0 and below. It occurs when parsing font subglyph structures related to TrueType GX and variable font files. The issue stems from assigning a signed short value to an unsigned long, followed by adding a static value. This causes a wrap-around, resulting in a heap buffer that is too small being allocated. The vulnerability allows writing up to 6 signed long integers out of bounds relative to the undersized buffer. This out-of-bounds write can potentially lead to arbitrary code execution. It has been reported that this vulnerability may have been exploited in the wild.

  34. CVE-2025-3248

    05 May 2025, 00:00

    Langflow

    Added to CISA KEV catalog

    Vulnerability name
    Langflow Missing Authentication Vulnerability
    Product
    Langflow Langflow

    CVE-2025-3248 is a code injection vulnerability that affects Langflow versions prior to 1.3.0. It exists in the `/api/v1/validate/code` endpoint, where a remote, unauthenticated attacker can send crafted HTTP requests to execute arbitrary code on the server. This vulnerability allows attackers to gain control of vulnerable Langflow servers without needing authentication. To remediate this vulnerability, users are advised to upgrade to Langflow version 1.3.0 or restrict network access to the application.

  35. CVE-2025-34028

    02 May 2025, 00:00

    Commvault

    Added to CISA KEV catalog

    Vulnerability name
    Commvault Command Center Path Traversal Vulnerability
    Product
    Commvault Command Center

    CVE-2025-34028 is a vulnerability in Commvault Command Center Innovation Release that allows an unauthenticated attacker to upload ZIP files. This path traversal vulnerability can lead to remote code execution when the server expands these files. The vulnerability affects Command Center Innovation Release versions 11.38.0 through 11.38.19 and has been patched in version 11.38.20. The vulnerability exists in the "deployWebpackage.do" and "deployServiceCommcell.do" endpoints, which are excluded from authentication requirements. An attacker can exploit this by sending an HTTP request to these endpoints, triggering a Server-Side Request Forgery (SSRF) vulnerability. This allows the attacker to force the Commvault server to download a ZIP file from an external server, use path traversal to place files in restricted directories, and ultimately execute malicious code via the web interface.

  36. CVE-2024-58136

    02 May 2025, 00:00

    YiiPHP

    Added to CISA KEV catalog

    Vulnerability name
    Yiiframework Yii Improper Protection of Alternate Path Vulnerability
    Product
    Yiiframework Yii

    CVE-2024-58136 is a vulnerability in Yii 2, a PHP framework, affecting versions prior to 2.0.52. It involves mishandling the attaching of behavior that is defined by an `__class` array key. This vulnerability is a regression of a previously patched issue, CVE-2024-4990. The vulnerability allows attackers to manipulate the behavior of Yii 2 web applications. It stems from improper type and configuration checks in Yii's use of PHP's `__set()` magic method and the `Yii::createObject()` function, potentially leading to the instantiation of arbitrary PHP classes with malicious arguments. This vulnerability was actively exploited between February and April 2025.

  37. CVE-2024-38475

    01 May 2025, 00:00

    Apache HTTP Server

    Added to CISA KEV catalog

    Vulnerability name
    Apache HTTP Server Improper Escaping of Output Vulnerability
    Product
    Apache HTTP Server

    CVE-2024-38475 involves improper output escaping in the `mod_rewrite` module of the Apache HTTP Server, specifically in versions 2.4.59 and earlier. This flaw allows an attacker to map URLs to filesystem locations that the server is permitted to serve but are not intended to be directly accessible. This vulnerability can lead to code execution or source code disclosure. The issue arises when substitutions in the server context use backreferences or variables as the initial segment of the substitution. While the fix might break some existing RewriteRules, the "UnsafePrefixStat" flag can be used to revert to the previous behavior if the substitution is appropriately constrained.

  38. CVE-2023-44221

    01 May 2025, 00:00

    SMA100

    Added to CISA KEV catalog

    Vulnerability name
    SonicWall SMA100 Appliances OS Command Injection Vulnerability
    Product
    SonicWall SMA100 Appliances

    CVE-2023-44221 is a command injection vulnerability found in the SMA100 SSL-VPN management interface. It allows a remote, authenticated attacker with administrative privileges to inject arbitrary commands. These commands are executed as the "nobody" user, potentially leading to OS command injection. This vulnerability exists due to improper neutralization of special elements within the SMA100 SSL-VPN management interface. It is often exploited in conjunction with other vulnerabilities, such as CVE-2024-38475, to bypass authentication and gain administrative control over affected systems.

  39. CVE-2025-31324

    29 Apr 2025, 00:00

    SAP NetWeaver

    Added to CISA KEV catalog

    Vulnerability name
    SAP NetWeaver Unrestricted File Upload Vulnerability
    Product
    SAP NetWeaver

    CVE-2025-31324 is a vulnerability affecting SAP NetWeaver Visual Composer Metadata Uploader. The core issue is a missing authorization check, which allows unauthenticated attackers to upload potentially malicious executable binaries to the system. This vulnerability can be exploited by crafting malicious POST requests to deliver webshells, enabling attackers to execute system commands, upload unauthorized files, seize control of compromised systems, execute remote code, and potentially steal sensitive data.

  40. CVE-2025-42599

    28 Apr 2025, 00:00

    Active! mailQualitia

    Added to CISA KEV catalog

    Vulnerability name
    Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability
    Product
    Qualitia Active! Mail

    CVE-2025-42599 is a stack-based buffer overflow vulnerability found in Active! mail 6 BuildInfo version 6.60.05008561 and earlier. This vulnerability can be exploited by a remote, unauthenticated attacker sending a specially crafted request. Successful exploitation could lead to arbitrary code execution or a denial-of-service (DoS) condition.

  41. CVE-2025-3928

    28 Apr 2025, 00:00

    Commvault Web Server

    Added to CISA KEV catalog

    Vulnerability name
    Commvault Web Server Unspecified Vulnerability
    Product
    Commvault Web Server

    CVE-2025-3928 is an unspecified vulnerability in the Commvault Web Server. It allows a remote, authenticated attacker to create and execute webshells on the affected server. The vulnerability can be exploited by any authenticated remote user, without requiring administrative privileges. CISA has added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog and recommends applying available vendor mitigations. Patches are available for Windows and Linux platforms in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217.

  42. CVE-2025-1976

    28 Apr 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    Broadcom Brocade Fabric OS Code Injection Vulnerability
    Product
    Broadcom Brocade Fabric OS

    CVE-2025-1976 is a code injection vulnerability affecting Broadcom Brocade Fabric OS. It exists in versions 9.1.0 through 9.1.1d6. The vulnerability allows a local user with administrative privileges to execute arbitrary code with full root privileges due to a flaw in IP Address validation. This vulnerability is actively being exploited. To mitigate the risk, it is recommended to update to Brocade Fabric OS version 9.1.1d7, which contains a security update to address the flaw.

  43. CVE-2025-31201

    17 Apr 2025, 00:00

    Apple

    Added to CISA KEV catalog

    Vulnerability name
    Apple Multiple Products Arbitrary Read and Write Vulnerability
    Product
    Apple Multiple Products

    CVE-2025-31201 is a vulnerability in RPAC (Return Pointer Authentication Code), a security feature designed to prevent return-oriented programming attacks. The vulnerability allows an attacker with arbitrary read and write capabilities to bypass Pointer Authentication. Apple addressed this issue by removing the vulnerable code in tvOS 18.4.1, visionOS 2.4.1, iOS 18.4.1 and iPadOS 18.4.1, and macOS Sequoia 15.4.1. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

  44. CVE-2025-31200

    17 Apr 2025, 00:00

    CoreAudioApple

    Added to CISA KEV catalog

    Vulnerability name
    Apple Multiple Products Memory Corruption Vulnerability
    Product
    Apple Multiple Products

    CVE-2025-31200 is a memory corruption vulnerability that exists in Apple's CoreAudio framework. This vulnerability can be triggered when processing an audio stream within a maliciously crafted media file. Successful exploitation of this vulnerability could allow for arbitrary code execution on the affected device. Apple has addressed this issue with improved bounds checking in tvOS 18.4.1, visionOS 2.4.1, iOS and iPadOS 18.4.1, and macOS Sequoia 15.4.1. It was reported that this vulnerability may have been exploited in targeted attacks against specific individuals.

  45. CVE-2025-24054

    17 Apr 2025, 00:00

    Windows NTLM

    Added to CISA KEV catalog

    Vulnerability name
    Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
    Product
    Microsoft Windows

    CVE-2025-24054 is a vulnerability in Windows NTLM that involves external control of the file name or path, potentially allowing an unauthorized attacker to perform spoofing over a network. The vulnerability can be exploited using a maliciously crafted .library-ms file. Active exploitation of CVE-2025-24054 has been observed in the wild since March 19, 2025. Attackers can potentially leak NTLM hashes or user passwords, compromising systems. Exploitation can be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to a folder containing the malicious file.

  46. CVE-2021-20035

    16 Apr 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    SonicWall SMA100 Appliances OS Command Injection Vulnerability
    Product
    SonicWall SMA100 Appliances

    Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.

  47. CVE-2024-53197

    09 Apr 2025, 00:00

    Linux Kernel

    Added to CISA KEV catalog

    Vulnerability name
    Linux Kernel Out-of-Bounds Access Vulnerability
    Product
    Linux Kernel

    CVE-2024-53197 is a privilege escalation vulnerability found in the USB sub-component of the Linux kernel. It stems from improper handling of the `bNumConfigurations` value in the ALSA USB audio subsystem, which can lead to out-of-bounds memory accesses. This vulnerability could allow an attacker with physical access to the system, through a malicious USB device, to manipulate system memory, potentially escalating privileges or executing arbitrary code. It has been identified as being exploited in targeted attacks, including being part of an exploit chain used to compromise an Android phone in December 2024.

  48. CVE-2024-53150

    09 Apr 2025, 00:00

    Added to CISA KEV catalog

    Vulnerability name
    Linux Kernel Out-of-Bounds Read Vulnerability
    Product
    Linux Kernel

    In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.

  49. CVE-2025-30406

    08 Apr 2025, 00:00

    Gladinet CentreStack

    Added to CISA KEV catalog

    Vulnerability name
    Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability
    Product
    Gladinet CentreStack

    CVE-2025-30406 is a vulnerability affecting Gladinet CentreStack, a cloud-based enterprise file-sharing platform. It stems from the use of a hard-coded cryptographic key within the application's web configuration files (web.config). This key is used for ViewState integrity verification. Successful exploitation of this flaw allows an attacker to forge ViewState payloads. This enables server-side deserialization, ultimately leading to remote code execution. The vulnerability is classified as CWE-321, which highlights the risks associated with using hard-coded cryptographic keys.

  50. CVE-2025-31161

    07 Apr 2025, 00:00

    CrushFTP

    Added to CISA KEV catalog

    Vulnerability name
    CrushFTP Authentication Bypass Vulnerability
    Product
    CrushFTP CrushFTP

    CVE-2025-31161 is a critical authentication bypass vulnerability found in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. It stems from a flaw in the AWS4-HMAC authorization method within the HTTP component, allowing remote attackers to gain unauthorized access to systems running unpatched versions of the software via unauthenticated HTTP requests. The vulnerability allows attackers to impersonate any known or guessable user, including the "crushadmin" account, by sending a manipulated Authorization header. The server initially verifies user existence without requiring a password, enabling session authentication through HMAC verification before a subsequent user verification check. This bypass can lead to a full compromise of the system by obtaining an administrative account.