Top Reported Known Exploitable Issues:
Here is the complete list of vulnerabilities for this month that we’ve updated within our platform, to be treated as a priority:
CVE-2023-20118 | Cisco
CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices.
CVE-2025-25181 | VeraCore
A SQL injection vulnerability in Advantive VeraCore that allows a remote attacker to execute arbitrary SQL commands.
CVE-2025-23209 | Craft CMS
The vulnerability in question is CVE-2025-23209 (CVSS score: 8.1), which impacts Craft CMS versions 4 and 5. It was addressed by the project maintainers in late December 2024 in versions 4.13.8 and 5.5.8. “Craft CMS contains a code injection vulnerability that allows for remote code execution as vulnerable versions have compromised user security keys”.
CVE-2025-24983 | Win32 Kernel Subsystem
CVE-2025-24983 (CVSS score: 7.0) – A Windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2024-57726 | SimpleHelp
CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 can be exploited in a chain to allow full compromise of a SimpleHelp server.
CVE-2025-24991 | Windows NTFS
CVE-2025-24991 (CVSS score: 5.5) – An out-of-bounds read vulnerability in Windows NTFS that allows an authorized attacker to disclose information locally.
CVE-2025-24993 | Windows NTFS
CVE-2025-24993 (CVSS score: 7.8) – A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally.
CVE-2023-34192 | Zimbra
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
CVE-2024-13161 | Ivanti EPM
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information.
CVE-2025-22225 | VMware ESXi Arbitrary Write Vulnerability
VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.
CVE-2024-49035 | Microsoft Partner Center Improper Access Control Vulnerability
An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.
CVE-2025-24989 | Microsoft Power Pages Elevation of Privilege Vulnerability
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
CVE-2025-26633 | Microsoft Management Console
CVE-2025-26633 (CVSS score: 7.0) – An improper neutralization vulnerability in Microsoft Management Console that allows an unauthorized attacker to bypass a security feature locally.
CVE-2025-24201 | Apple Webkit
Apple has released a security update to address a zero-day flaw that it said has been exploited in “extremely sophisticated” attacks. The vulnerability has been assigned the CVE identifier CVE-2025-24201 and is rooted in the WebKit web browser engine component. It has been described as an out-of-bounds write issue that could allow an attacker to craft malicious web content such that it can break out of the Web Content sandbox.
CVE-2017-3066 | Adobe Coldfusion
CVE-2017-3066 (CVSS score: 9.8) – A deserialization vulnerability impacting Adobe ColdFusion in the Apache BlazeDS library that allows for arbitrary code execution. (Fixed in April 2017).
CVE-2024-13159 | Ivanti EPM
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-12297 | Moxa
The vulnerability, tracked as CVE-2024-12297, has been assigned a CVSS v4 score of 9.2 out of a maximum of 10.0. Multiple Moxa PT switches are vulnerable to an authentication bypass because of flaws in their authorization mechanism.
CVE-2024-4577 | PHP-CGI
Attackers have exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.
CVE-2025-25012 | Kibana
Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-25012, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution. “Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.
CVE-2025-24985 | Windows Fast FAT
CVE-2025-24985 (CVSS score: 7.8) – An integer overflow vulnerability in Windows Fast FAT File System Driver that allows an unauthorized attacker to execute code locally.
CVE-2025-24984 | Windows NTFS
CVE-2025-24984 (CVSS score: 4.6) – A Windows NTFS information disclosure vulnerability that allows an attacker with physical access to a target device and the ability to plug in a malicious USB drive to potentially read portions of heap memory.
CVE-2025-1001 | RadiAnt
Medixant has released a security update to address an improper certificate validation vulnerability in RadiAnt DICOM Viewer. CVE-2025-1001 has a CvSSv4 score of 5.7 and could allow an attacker with privileged network access to impersonate RadiAnt’s update server. An attacker could modify the server’s response to deliver a malicious update to the user, performing a machine-in-the-middle (MitM) attack.
CVE-2024-20953 | Oracle Agile PLM
CVE-2024-20953 (CVSS score: 8.8) – A deserialization vulnerability impacting Oracle Agile PLM that allows a low-privileged attacker with network access via HTTP to compromise the system. (Fixed in January 2024).
CVE-2024-57968 | VeraCore
An unrestricted file upload vulnerability in Advantive VeraCore that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx.
CVE-2025-20206 | Cisco Secure Client Windows
Cisco has released a security advisory to address a vulnerability in its Secure Client for Windows. Secure Client is Cisco’s endpoint virtual private network (VPN) solution. CVE-2025-20206 has a CVSSv3 score of 7.1 and if exploited could allow an authenticated, local attacker to achieve arbitrary code execution (ACE) on the affected machine with SYSTEM privileges via DLL hijacking. The vulnerability only affects the Windows version of Secure Client, and only affects Secure Clients with the Secure Firewall Posture Engine module installed.
CVE-2025-27363 | Free type font
Meta has warned that a security vulnerability impacting the FreeType open-source font rendering library may have been exploited in the wild. The vulnerability has been assigned the CVE identifier CVE-2025-27363, and carries a CVSS score of 8.1, indicating high severity. Described as an out-of-bounds write flaw, it could be exploited to achieve remote code execution when parsing certain font files.
CVE-2024-13160 | Ivanti EPM
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information.
CVE-2025-0108 | Palo Alto
The vulnerability, tracked as CVE-2025-0108, carries a CVSS score of 7.8 out of 10.0. The score, however, drops to 5.1 if access to the management interface is restricted to a jump box. “An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts,” Palo Alto Networks said in an advisory.
CVE-2023-34192 | Zimbra
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
CVE-2024-13160 | Ivanti EPM
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information.
CVE-2025-24993 | Windows NTFS
CVE-2025-24993 (CVSS score: 7.8) – A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally.
CVE-2025-21589 | Juniper
API authentication bypass vulnerability CVE-2025-21589 affects Session Smart Router, Conductor, and WAN Assurance Managed Routers. Affected organisations are encouraged to review Juniper Networks out-of-cycle security bulletin: “Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass Vulnerability (CVE-2025-21589)” Article ID JSA94663 and apply any relevant security update.
