Activity

Vulnerability name

Samsung Mobile Devices Out-of-Bounds Write Vulnerability

Product

Samsung Mobile Devices

CVE-2025-21042 is an out-of-bounds write vulnerability found in Samsung's libimagecodec.quram.so library. This library is responsible for handling image parsing and decoding on Samsung Galaxy devices. The vulnerability is triggered when processing a specially crafted image file, leading to a write operation outside the allocated memory boundaries. Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on affected devices. This can be achieved through various channels such as email attachments, messaging apps, or web browsing, where the device processes an attacker-supplied image. A patch has been released in the SMR Apr-2025 Release 1 security update to address this vulnerability.

Vulnerability name

CWP Control Web Panel OS Command Injection Vulnerability

Product

CWP Control Web Panel

CVE-2025-48703 is a Remote Code Execution (RCE) vulnerability found in the `filemanager` module of a web hosting control panel, such as cPanel. The vulnerability stems from improper input sanitization in the `acc=changePerm` function, which allows attackers to inject and execute arbitrary system commands using the `t_total` parameter. This vulnerability allows attackers to execute arbitrary commands on the target server. Successful exploitation could lead to establishing a reverse shell for persistent access and potentially escalating privileges or moving laterally within the system. It was reported to affect CentOS Web Panel (CWP) versions 0.9.8.1204 and 0.9.8.1188.

Vulnerability name

Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability

Product

Gladinet CentreStack and Triofox

CVE-2025-11371 is an unauthenticated local file inclusion vulnerability found in Gladinet CentreStack and TrioFox. It exists in the default installation and configuration of these applications. The vulnerability allows attackers to read sensitive system files without authentication. Exploitation of this vulnerability has been observed in the wild. The vulnerability impacts all versions of Gladinet CentreStack and TrioFox up to and including 16.7.10368.56560. By exploiting this flaw, a threat actor can retrieve the machine key from the application's Web.config file. This key can then be used to perform remote code execution via a ViewState deserialization vulnerability.

Vulnerability name

Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability

Product

Broadcom VMware Aria Operations and VMware Tools

CVE-2025-41244 is a local privilege escalation vulnerability affecting VMware Tools and VMware Aria Operations. It stems from overly broad regular expression patterns in the `get-versions.sh` component used by both VMware Tools and Aria Operations' Service Discovery Management Pack (SDMP). The `get_version()` function in this script scans for listening sockets and then executes matched binaries to retrieve version information. However, the use of the non-whitespace shorthand `\S` unintentionally includes user-writable directories such as `/tmp/httpd`. Attackers can exploit this by staging malicious binaries in these user-writable locations. The privileged VMware context then executes these binaries, leading to a local privilege escalation. By mimicking system binaries in writable paths, CVE-2025-41244 violates CWE-426: Untrusted Search Path, offering trivial local privilege escalation opportunities.

Vulnerability name

XWiki Platform Eval Injection Vulnerability

Product

XWiki Platform

CVE-2025-24893 is a critical remote code execution (RCE) vulnerability found in the XWiki Platform. It exists within the SolrSearch macro due to insufficient input sanitization. The vulnerability allows unauthenticated attackers to execute arbitrary Groovy code on affected servers. This can be achieved by sending a crafted HTTP request with a malicious payload to the vulnerable XWiki instance. The vulnerability stems from the way the SolrSearch macro evaluates search parameters, specifically when processing RSS feed requests, without proper sanitization of scripting language special characters. By injecting Groovy expressions into the search query, attackers can cause the system to evaluate arbitrary code within the context of the XWiki server process. This vulnerability affects XWiki Platform versions from 5.3-milestone-2 up to but not including 15.10.11, and from 16.0.0-rc-1 to 16.4.1.

Vulnerability name

Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability

Product

Dassault Systèmes DELMIA Apriso

CVE-2025-6205 is a missing authorization vulnerability affecting Dassault Systèmes DELMIA Apriso from Release 2020 through Release 2025. An attacker could exploit this flaw to gain privileged access to the application. This vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog, and federal agencies are required to fix it by November 18, 2025. It was addressed by Dassault Systèmes in early August. ProjectDiscovery researchers indicated that this flaw can be combined with CVE-2025-6204 to create accounts with elevated privileges and drop executable files, leading to a full application compromise.

Vulnerability name

Dassault Systèmes DELMIA Apriso Code Injection Vulnerability

Product

Dassault Systèmes DELMIA Apriso

CVE-2025-6204 is a code injection vulnerability affecting Dassault Systèmes DELMIA Apriso, specifically versions from Release 2020 through Release 2025. This vulnerability could allow an attacker to execute arbitrary code. This vulnerability exists because of an improper control of code generation within the affected software. It has been added to CISA's Known Exploited Vulnerabilities (KEV) list, indicating it has been exploited in the wild.

Vulnerability name

Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability

Product

Microsoft Windows

CVE-2025-59287 is a remote code execution vulnerability affecting the Windows Server Update Service (WSUS). The vulnerability stems from the deserialization of untrusted data within WSUS. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted event that triggers unsafe object deserialization within a legacy serialization mechanism. Successful exploitation allows the attacker to execute arbitrary code on the target system.

Vulnerability name

Adobe Commerce and Magento Improper Input Validation Vulnerability

Product

Adobe Commerce and Magento

CVE-2025-54236, also known as SessionReaper, is a vulnerability affecting Adobe Commerce and Magento installations. It stems from improper input validation in the Magento Web API. Successful exploitation could lead to security feature bypass, potentially allowing attackers to take over customer accounts, steal data, and place fraudulent orders. The vulnerability allows unauthenticated remote code execution. The attack combines a malicious session with a nested deserialization bug in Magento's REST API. Exploitation appears to require file-based session storage. Adobe has released an emergency patch to address this critical flaw.

Vulnerability name

Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability

Product

Motex LANSCOPE Endpoint Manager

CVE-2025-61932 is a vulnerability in Motex's Lanscope Endpoint Manager (On-Premises), specifically affecting the Client program (MR) and Detection Agent (DA). The vulnerability stems from the software's improper verification of the origin of incoming requests. This flaw allows a remote attacker to execute arbitrary code on the system by sending specially crafted packets. It has been confirmed that the vulnerability has been actively exploited in the wild. CISA has added CVE-2025-61932 to its Known Exploited Vulnerabilities (KEV) list.

Vulnerability name

Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability

Product

Oracle E-Business Suite

CVE-2025-61884 is a vulnerability affecting the Oracle Configurator component's Runtime UI within the Oracle E-Business Suite (EBS). The vulnerability impacts versions 12.2.3 through 12.2.14. It can be exploited by an unauthenticated attacker with network access via HTTP. Successful exploitation of CVE-2025-61884 can lead to unauthorized access to critical data or complete access to all Oracle Configurator accessible data. Oracle has released a security patch to address this vulnerability and strongly recommends that customers apply the provided updates promptly.

Vulnerability name

Microsoft Windows SMB Client Improper Access Control Vulnerability

Product

Microsoft Windows

CVE-2025-33073 is an elevation of privilege vulnerability affecting the Windows Server Message Block (SMB) client. It stems from improper access control within Windows SMB, potentially allowing an authorized attacker to elevate privileges over a network. To exploit this vulnerability, an attacker could execute a specially crafted script. This script would coerce the victim machine to connect back to the attacker's system using SMB and authenticate, potentially resulting in the attacker gaining SYSTEM privileges.

Vulnerability name

Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability

Product

Kentico Xperience CMS

An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.

Vulnerability name

Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability

Product

Kentico Xperience CMS

An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.

Vulnerability name

Apple Multiple Products Unspecified Vulnerability

Product

Apple Multiple Products

The issue was addressed with improved bounds checks. This issue is fixed in tvOS 15.6, watchOS 8.7, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5, Safari 15.6. Processing web content may lead to arbitrary code execution.

Vulnerability name

Adobe Experience Manager Forms Code Execution Vulnerability

Product

Adobe Experience Manager (AEM) Forms

CVE-2025-54253 is a misconfiguration vulnerability affecting Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23 and earlier. It stems from an authentication bypass in the /adminui module combined with a misconfigured developer setting. The vulnerability exists because Struts2's development mode was mistakenly left enabled. This misconfiguration allows attackers to execute arbitrary code. Specifically, it enables the execution of OGNL expressions through debug parameters sent in HTTP requests. Exploitation of this vulnerability does not require user interaction.

Vulnerability name

SKYSEA Client View Improper Authentication Vulnerability

Product

SKYSEA Client View

SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.

Vulnerability name

IGEL OS Use of a Key Past its Expiration Date Vulnerability

Product

IGEL IGEL OS

In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.

Vulnerability name

Rapid7 Velociraptor Incorrect Default Permissions Vulnerability

Product

Rapid7 Velociraptor

Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.  To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).