Top Reported Known Exploitable Issues:
Here is the complete list of vulnerabilities for this month that we’ve updated within our platform, to be treated as a priority:
CVE-2019-9875 | SiteCore
CVE-2019-9875 (CVSS score: 8.8) – A deserialization vulnerability in the unknown link.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
CVE-2025-1974| NGINX
An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions.
CVE-2025-2783 | Chrome Windows
Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that has been exploited in the wild as part of attacks targeting organizations in Russia. The vulnerability, tracked as CVE-2025-2783, has been described as a case of “incorrect handle provided in unspecified circumstances in Mojo on Windows.” Mojo refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). As is customary, Google did not reveal additional technical specifics about the nature of the attacks, the identity of the threat actors behind them, and who may have been targeted. The vulnerability has been plugged in Chrome version 134.0.6998.177/.178 for Windows.
CVE-2025-1316 | edimax
Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device.
CVE-2025-22230 | VMware Tools
Tracked as CVE-2025-22230, the vulnerability is rated 7.8 on the ten-point Common Vulnerability Scoring System (CVSS). “VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control,” Broadcom said in an alert issued Tuesday. “A malicious actor with non-administrative privileges on a Windows guest VM may gain the ability to perform certain high-privilege operations within that VM.
CVE-2025-24472 | Fortinet
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests.
CVE-2025-23120 | Veeam
Veeam has issued a security bulletin addressing a critical vulnerability in their Backup & Replication product. Veeam Backup & Replication is a proprietary backup application for virtual environments built on various hypervisors. CVE-2025-23120 is a critical vulnerability with a a CvSSv4 score of 9.9. Successful exploitation could allow an authenticated, remote attacker to perform remote code execution (RCE), provided the attacker has valid domain privileges.
CVE-2025-3102 | WordPress OttoKit
The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites. “The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the ‘secret_key’ value in the ‘autheticate_user’ function in all versions up to, and including, 1.0.78.
CVE-2025-29927 | Next.js
A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions. The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0. “Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops,” Next.js said in an advisory. “It was possible to skip running middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes.” The shortcoming has been addressed in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If patching is not an option, it’s recommended that users prevent external user requests that contain the x-middleware-subrequest header from reaching the Next.js application.
CVE-2024-48248 | NAKIVO Backup
NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials).
CVE-2025-30066 | GitHub
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
CVE-2024-20439 | Cisco Smart Licensing Utility Static Credential Vulnerability
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential. This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to log in to the affected system. A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application.
CVE-2025-24813 | Apache Tomcat
The Apache Software Foundation has released security updates addressing a vulnerability in Apache Tomcat. Tomcat is an open-source web server and servlet container that is used to deploy and serve Java-based web applications. CVE-2025-24813 is ‘deserialisation of untrusted data’ and ‘path equivalence: file.name (Internal dot)’ vulnerability that an attacker could exploit to achieve remote code execution (RCE), view security sensitive files, or inject content into those files. Exploitation of this vulnerability has been reported in the wild and a public proof-of-concept exploit has been release.
CVE-2025-30406 | Gladinet CentreStack
The vulnerability, tracked as CVE-2025-30406 (CVSS score: 9.0), concerns a case of a hard-coded cryptographic key that could be abused to achieve remote code execution. It has been addressed in version 16.4.10315.56368 released on April 3, 2025. “Gladinet CentreStack contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification,” CISA said. “Successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing for remote code execution.”
CVE-2019-9874 | SiteCore
CVE-2019-9874 (CVSS score: 9.8) – A deserialization vulnerability in the unknown link.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN
CVE-2025-22457 | Ivanti Connect Secure
The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems. “A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2017-12637 | SAP NetWeaver
Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
CVE-2025-29824 | Microsoft CLFS
The vulnerability that has been flagged as under active attack is an elevation of privilege (EoP) flaw impacting the Windows Common Log File System (CLFS) Driver (CVE-2025-29824, CVSS score: 7.8) that stems from a use-after-free scenario, allowing an authorized attacker to elevate privileges locally.
CVE-2024-53197 | potential out-of-bound accesses for Extigy and Mbox devices
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration.
CVE-2025-2825 | CrushFTP
A vulnerability has been disclosed in CrushFTP, a file server supporting standard secure file transfer protocols, after being discovered by a security researcher. The vulnerability designated as CVE-2025-2825 is a critical ‘improper authentication’ vulnerability with a CVSSv3 score of 9.8. Successful exploitation could allow an unauthenticated attacker to craft remote and unauthenticated HTTP requests to CrushFTP, which could lead to unauthorised access. Note: The vulnerability is not exploitable if organisations have implemented the demilitarised zone (DMZ) function of CrushFTP.
CVE-2025-24813 | Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Path Equivalence: ‘file.Name‘ (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: – writes enabled for the default servlet (disabled by default) – support for partial PUT (enabled by default) – a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads – attacker knowledge of the names of security sensitive files being uploaded – the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: – writes enabled for the default servlet (disabled by default) – support for partial PUT (enabled by default) – application was using Tomcat’s file based session persistence with the default storage location – application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
CVE-2025-2857 | FireFox Windows
Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape.” The shortcoming, which affects Firefox and Firefox ESR, has been addressed in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. There is no evidence that CVE-2025-2857 has been exploited in the wild.
