Top Reported Known Exploitable Issues:
Here is the complete list of the latest vulnerabilities, that we’ve updated within our platform, to be treated as a priority:
CVE-2024-21907 | Microsoft Newtonsoft.Json
CVE-2024-21907, CVSS score: 7.5 in Newtonsoft.Json, a third-party component used in SQL Server, that could be exploited to trigger a denial-of-service condition. Proof of Concept code available.
CVE-2023-26083 | Mali GPU Kernel Driver in Midgard
Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 – r32p0, Bifrost GPU Kernel Driver all versions from r0p0 – r42p0, Valhall GPU Kernel Driver all versions from r19p0 – r42p0, and Avalon GPU Kernel Driver all versions from r41p0 – r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.
CVE-2025-38352 | Google Android
Security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. The vulnerabilities are listed below – CVE-2025-38352 (CVSS score: 7.4) – A privilege escalation flaw in the Linux Kernel component CVE-2025-48543 (CVSS score: N/A) – A privilege escalation flaw in the Android Runtime component Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation.
CVE-2025-42957 | SAP S/4HANA
A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild. The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month. “SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC,” according to a description of the flaw in the NIST National Vulnerability Database (NVD). “This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks.
CVE-2025-54236 | Magento
Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts. The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it’s not aware of any exploits in the wild. “A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API,”
CVE-2025-21043 | Android
The vulnerability, CVE-2025-21043 (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution. “Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.
CVE-2025-9377 | TP-Link
CVE-2025-9377 (CVSS score: 8.6) – An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution. CVE-2023-50224 (CVSS score: 6.5) – An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in “/tmp/dropbear/dropbearpwd”
CVE-2025-55177 | WhatsApp
The vulnerability, CVE-2025-55177 (CVSS score: 8.0 [CISA-ADP]/5.4 [Facebook]), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the WhatsApp Security Team have been credited with discovering and rerating the bug. The Meta-owned company said the issue “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.” The flaw affects the following versions – WhatsApp for iOS prior to version 2.25.21.73 (Patched on July 28, 2025) WhatsApp Business for iOS version 2.25.21.78 (Patched on August 4, 2025), and WhatsApp for Mac version 2.25.21.78 (Patched on August 4, 2025)
CVE-2025-48384 | Git
CVE-2025-48384 (CVSS score: 8.1) – A link following vulnerability in Git that arises as a result of inconsistent handling of carriage return (CR) characters in configuration files, resulting in arbitrary code execution
CVE-2025-7775 | Citrix
CVE-2025-7775 is an “improper restriction of operations within the bounds of a memory buffer” vulnerability with a CVSSv4 base score of 9.2. Successful exploitation could allow an unauthenticated attacker to execute code remotely on the NetScaler appliance. CVE-2025-7775 is under active exploitation. CVE-2025-7776 is an “improper restriction of operations within the bounds of a memory buffer” vulnerability with a CVSSv4 base score of 8.8. Successful exploitation could allow an unauthenticated, remote attacker to cause the NetScaler appliance to exhibit unpredictable or erroneous behaviour, or to conduct a denial-of-service. CVE-2025-8424 is an “improper access control” vulnerability with a CVSSv4 base score of 8.7. Successful exploitation could allow a remote, unauthorised attacker to gain access to the NetScaler management interface, leading to full device takeover.
CVE-2025-53690 | SiteCore
The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. “Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.”
CVE-2025-55145 | Ivanti
Ivanti has released a security advisory addressing 11 vulnerabilities affecting Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access. CVE-2025-55145 – Missing Authorisation vulnerability – CVSSv3 score: 8.9 CVE-2025-55147 – Cross Site Request Forgery vulnerability – CVSSv3 score: 8.8 CVE-2025-55141 – Missing Authorisation vulnerability – CVSSv3 score: 8.8 CVE-2025-55142 – Missing Authorisation vulnerability – CVSSv3 score: 8.8 CVE-2025-55148 – Missing Authorisation vulnerability – CVSSv3 score: 7.6 Updates address six other medium severity vulnerabilities.
CVE-2025-9074 | Docker
The vulnerability, tracked as CVE-2025-9074, carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3. “A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted.
CVE-2025-43300 | Apple IOS
CVE-2025-43300: Apple Impact: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals. Description: An out-of-bounds write issue was addressed with improved bounds checking.
