Tag: cvss
-
Critical Apache Parquet Vulnerability Allows Remote Code Execution
A severe vulnerability has been identified in the Apache Parquet Java library, specifically within itsparquet-avromodule. This flaw, tracked as CVE-2025-30065, exposes systems to potential Remote Code Execution (RCE) attacks. It has been ratedCriticalwith a CVSS score of 10.0, indicating the highest level of severity. The root cause is categorized asDeserialization of Untrusted Data (CWE-502). The vulnerability impacts systems…
-
Exploited! Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 CVE-2025-2747)
Recently, two critical security flaws were discovered in Kentico Xperience 13, a popular digital experience platform (CMS). Tracked as CVE-2025-2746 and CVE-2025-2747, these vulnerabilities allow unauthenticated attackers to bypass the Staging Sync Server’s authentication, potentially gaining administrative control over the CMS. Both issues carry a CVSS score of 9.8 (Critical) (Warning: Multiple Critical & High……
-
Critical NetApp SnapCenter Server Vulnerability Allows Attackers to Gain Admin Access
A critical vulnerability has been identified in NetApp’s SnapCenter Server, affecting versions before 6.0.1P1 and 6.1P1. This flaw allows an authenticated SnapCenter Server user to potentially escalate their privileges to admin on remote systems where SnapCenter plug-ins are installed. The vulnerability has been designated as CVE-2025-26512 and carries a Critical severity rating with a CVSS…
-
Introducing Agentic Risk Scoring – Impart Security
Tags: ai, application-security, control, cvss, detection, framework, mitre, nist, risk, risk-assessment, tool, vulnerabilityReimagining Risk Scoring: A Breakthrough in Security Risk Management For years, AppSec and product security teams have been locked in endless debates about the most effective security frameworks and risk scoring methodologies. From CVSS and MITRE ATT&CK to NIST frameworks, these tools promise to quantify and manage security risks”, but how truly helpful are they?…
-
VMware Patches Authentication Bypass Flaw in Windows Tools Suite
The authentication bypass vulnerability, tagged as CVE-2025-22230, carries a CVSS severity score of 7.8/10. The post VMware Patches Authentication Bypass Flaw in Windows Tools Suite appeared first on SecurityWeek. First seen on securityweek.com Jump to article: www.securityweek.com/vmware-patches-authentication-bypass-flaw-in-windows-tools-suite/
-
CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514: Frequently Asked Questions About IngressNightmare
Tags: access, advisory, attack, cve, cvss, exploit, flaw, hacker, injection, kubernetes, mitigation, network, open-source, vulnerability, zero-dayFrequently asked questions about five vulnerabilities in the Ingress NGINX Controller for Kubernetes, collectively known as IngressNightmare. Background The Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding IngressNightmare. FAQ What is IngressNightmare? IngressNightmare is the name given to a series of vulnerabilities in the Ingress NGINX Controller…
-
Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication
A set of five critical security shortcomings have been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution, putting over 6,500 clusters at immediate risk by exposing the component to the public internet.The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 ), assigned a CVSS score of First seen…
-
CVE-2025-29927: Critical Next.js Flaw Enables Authorization Bypass
A newly disclosed vulnerability in the Next.js React framework has been assigned a CVSS score of 9.1, marking it as a critical security risk. Tracked as CVE-2025-29927, the flaw can be exploited under specific conditions to bypass middleware-based authorization checks,… First seen on sensorstechforum.com Jump to article: sensorstechforum.com/cve-2025-29927-nextjs-flaw/
-
WordPress Plugin Vulnerability Opens Door to SQL Injection Exploits
A critical vulnerability in the popular WordPress plugin GamiPress has been uncovered, leaving users exposed to unauthenticated SQL injection attacks. The issue, assigned the identifier CVE-2024-13496, carries a high CVSS 3.1 score of 7.5, indicating significant potential for exploitation. CVE-2024-13496 was discovered during a security assessment of GamiPress version 7.2.1. The vulnerability affects all versions…
-
Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0.”Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops,” Next.js said in an First…
-
Veeam and IBM Release Patches for High-Risk Flaws in Backup and AIX Systems
Veeam has released security updates to address a critical security flaw impacting its Backup & Replication software that could lead to remote code execution.The vulnerability, tracked as CVE-2025-23120, carries a CVSS score of 9.9 out of 10.0. It affects 12.3.0.310 and all earlier version 12 builds.”A vulnerability allowing remote code execution (RCE) by authenticated domain…
-
New Windows zero-day feared abused in widespread espionage for years
.The zero-day vulnerability, tracked as ZDI-CAN-25373, has yet to be publicly acknowledged and assigned a CVE-ID by Microsoft. ZDI-CAN-25373 has to do with the way Windows displays the contents of .lnk files, a type of binary file used by Windows to act as a shortcut to a file, folder, or application, through the Windows UI.A…
-
Critical Veeam Backup Replication Vulnerability Allows Remote Execution of Malicious Code
Tags: backup, cve, cvss, cyber, malicious, remote-code-execution, risk, software, veeam, vulnerabilityA critical vulnerability in Veeam Backup & Replication software has been disclosed, posing a significant risk to users. This vulnerability, identified as CVE-2025-23120, allows remote code execution (RCE) by authenticated domain users. The severity of this issue is underscored by a CVSS v3.1 score of 9.9, indicating a high level of risk. The vulnerability has…
-
New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking
A critical security vulnerability has been disclosed in AMI’s MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions.The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity.”A local or remote attacker can exploit the vulnerability by accessing the First seen…
-
Tomcat PUT to active abuse as Apache deals with critical RCE flaw
Tags: apache, api, attack, authentication, backdoor, cve, cvss, data, encryption, exploit, flaw, malicious, rce, remote-code-execution, tactics, threat, update, vulnerability) exploit released for the flaw, CVE-2025-24813, just 30 hours after it was publicly disclosed.”A devastating new remote code execution (RCE) vulnerability is now actively exploited in the wild,” Wallarm said in a blog post. “Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers.”PUT API requests are used to update…
-
CVE-2025-27363: FreeType Vulnerability in Meta Exploited in the Wild
Meta has issued a security advisory regarding a newly discovered vulnerability in the FreeType open-source font rendering library. Tracked as CVE-2025-27363, this flaw has been assigned a CVSS score of 8.1, categorizing it as a high-severity issue. Security experts warn… First seen on sensorstechforum.com Jump to article: sensorstechforum.com/cve-2025-27363-freetype-meta-vulnerability/
-
Schwachstelle in der Sitecore-Experience-Platform ermöglicht RemoteExecution ohne Authentifizierung
Die kürzlich entdeckte Schwachstelle CVE-2025-27218 ist eine nicht autorisierte Sicherheitsanfälligkeit für Remotecodeausführung (Remote-Control-Execution, RCE) und betrifft die Sitecore-Experience-Platform und die Experience-Manager Version 10.4 vor KB1002844. Obwohl die Schwachstelle keine Authentifizierung erfordert und RCE ermöglicht, wurde sie mit einem seltsam gering erscheinenden CVSS-Ranking von 5,3 eingestuft. Über einen Hotfix des Herstellers ist die Vulnerability gepatcht. Forscher…
-
Meta Warns of FreeType Vulnerability (CVE-2025-27363) With Active Exploitation Risk
Meta has warned that a security vulnerability impacting the FreeType open-source font rendering library may have been exploited in the wild.The vulnerability has been assigned the CVE identifier CVE-2025-27363, and carries a CVSS score of 8.1, indicating high severity. Described as an out-of-bounds write flaw, it could be exploited to achieve remote code execution when…
-
Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches
Taiwanese company Moxa has released a security update to address a critical security flaw impacting its PT switches that could permit an attacker to bypass authentication guarantees.The vulnerability, tracked as CVE-2024-12297, has been assigned a CVSS v4 score of 9.2 out of a maximum of 10.0.”Multiple Moxa PT switches are vulnerable to an authentication bypass…
-
Elastic Issues Urgent Update for Critical Kibana Vulnerability Exposing Remote Code Execution Risk
Elastic has released a critical security update to address a vulnerability in Kibana, a widely used data visualization and analysis tool for Elasticsearch. This Kibana vulnerability, identified as CVE-2025-25012, could allow attackers to execute arbitrary code on affected systems, posing a severe threat to organizations using Kibana. The vulnerability, categorized under the CVSS scoring system…
-
Windows KDC Proxy RCE Vulnerability Allows Remote Server Takeover
Tags: authentication, control, cvss, cyber, flaw, microsoft, rce, remote-code-execution, vulnerability, windowsA recently patched remote code execution (RCE) vulnerability in Microsoft Windows’ Key Distribution Center (KDC) Proxy implementation allows unauthenticated attackers to take control of vulnerable servers through manipulated Kerberos authentication traffic. Designated CVE-2024-43639 and rated 9.8 CVSS, this critical flaw stems from improper validation of message lengths during ASN.1 encoding operation, enabling memory corruption attacks. The vulnerability…
-
Millions of WordPress Websites Vulnerable to Script Injection Due to Plugin Flaw
A critical security vulnerability in theEssential Addons for Elementorplugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset…
-
LockBit Ransomware Strikes: Exploiting a Confluence Vulnerability
Tags: attack, cvss, cyber, data-breach, exploit, lockbit, malicious, ransomware, remote-code-execution, vulnerability, windowsIn a swift and highly coordinated attack, LockBit ransomware operators exploited a critical remote code execution vulnerability (CVE-2023-22527) in Atlassian Confluence servers, targeting an exposed Windows server. This vulnerability, rated CVSS 10.0, enabled unauthenticated attackers to execute arbitrary commands by injecting malicious Object-Graph Navigation Language (OGNL) expressions into improperly sanitized template files. The attack commenced…
-
Critical Vulnerability in Fluent Bit Exposes Cloud Services to Potential Cyber Attacks
Tags: attack, cloud, computing, cve, cvss, cyber, data-breach, flaw, infrastructure, metric, service, tool, vulnerabilityA critical security flaw in Fluent Bit, a widely adopted log processing and metrics collection tool part of the Cloud Native Computing Foundation (CNCF), has exposed enterprise cloud infrastructures to denial-of-service (DoS) attacks. Designated as CVE-2024-50608 and CVE-2024-50609, these vulnerabilities”, scoring 8.9 on the CVSS v3.1 severity scale”, stem from improper handling of HTTP headers…
-
Windows Disk Cleanup Tool Exploit Allows SYSTEM Privilege Escalation
Microsoft has urgently addressed a high-severity privilege escalation vulnerability (CVE-2025-21420) in the Windows Disk Cleanup Utility (cleanmgr.exe) during its February 2025 Patch Tuesday updates. The flaw, scoring 7.8 on the CVSS scale, enabled attackers to execute malicious code with SYSTEM privileges through DLL sideloading techniques. Technical Mechanism of the Exploit The vulnerability leverages cleanmgr.exe’s privileged…