Tag: cvss
-
NVIDIA NeMo Flaw Enables Code Injection and Privilege Escalation Attacks
NVIDIA has released critical security patches addressing two high-severity vulnerabilities in its NeMo Framework that could allow attackers to execute arbitrary code and escalate privileges on affected systems. The vulnerabilities affect all versions of the framework before 2.5.0, and users should update to 2.5.0 immediately. CVE ID Description CVSS Score Severity CVE-2025-23361 Improper control of…
-
Kibana Vulnerabilities Expose Systems to SSRF and XSS Attacks
Elastic has released a security advisory addressing an origin validation error in Kibana that could expose systems to Server-Side Request Forgery (SSRF) attacks. The vulnerability, tracked as CVE-2025-37734, affects multiple versions of the popular data visualization and exploration platform and has prompted immediate patching across all affected deployments. CVE ID Vulnerability Affected Versions CVSS Score Fixed Versions…
-
Critical Dell Data Lakehouse Flaw Allows Remote Attackers to Escalate Privileges
Dell Technologies has disclosed a critical security vulnerability affecting its Data Lakehouse platform that could allow attackers with high-level privileges to escalate their access and compromise system integrity. The flaw, tracked as CVE-2025-46608, carries a maximum CVSS severity score of 9.1, indicating an exceptionally high risk to affected environments. CVE ID Product Affected Versions Remediated…
-
Ivanti Endpoint Manager Vulnerabilities Let Attackers Write Files Anywhere on Target Systems
Ivanti has released critical security updates for Ivanti Endpoint Manager to address three high-severity vulnerabilities that could allow authenticated attackers to write arbitrary files to any location on affected systems. The company disclosed the security advisory on November 10, 2025, with the latest patch becoming available immediately. CVE Number Description CVSS Score Severity CVE-2025-10918 Insecure…
-
Ivanti Endpoint Manager Vulnerabilities Let Attackers Write Files Anywhere on Target Systems
Ivanti has released critical security updates for Ivanti Endpoint Manager to address three high-severity vulnerabilities that could allow authenticated attackers to write arbitrary files to any location on affected systems. The company disclosed the security advisory on November 10, 2025, with the latest patch becoming available immediately. CVE Number Description CVSS Score Severity CVE-2025-10918 Insecure…
-
Ivanti Endpoint Manager Vulnerabilities Let Attackers Write Files Anywhere on Target Systems
Ivanti has released critical security updates for Ivanti Endpoint Manager to address three high-severity vulnerabilities that could allow authenticated attackers to write arbitrary files to any location on affected systems. The company disclosed the security advisory on November 10, 2025, with the latest patch becoming available immediately. CVE Number Description CVSS Score Severity CVE-2025-10918 Insecure…
-
Zoom Workplace for Windows Flaw Allows Local Privilege Escalation
A security vulnerability has been discovered in Zoom Workplace’s VDI Client for Windows that could allow attackers to escalate their privileges on affected systems. The flaw, tracked as CVE-2025-64740 and assigned bulletin ZSB-25042, has been rated as High severity with a CVSS score of 7.5. Attribute Details CVE ID CVE-2025-64740 Bulletin ID ZSB-25042 Product Zoom Workplace VDI…
-
Zoom Workplace for Windows Flaw Allows Local Privilege Escalation
A security vulnerability has been discovered in Zoom Workplace’s VDI Client for Windows that could allow attackers to escalate their privileges on affected systems. The flaw, tracked as CVE-2025-64740 and assigned bulletin ZSB-25042, has been rated as High severity with a CVSS score of 7.5. Attribute Details CVE ID CVE-2025-64740 Bulletin ID ZSB-25042 Product Zoom Workplace VDI…
-
SAP Releases Security Update to Fix Critical Code Execution and Injection Flaws
SAP has released a significant security update addressing 18 new vulnerabilities across its enterprise software portfolio, including several critical flaws related to code execution and data injection. This monthly security patch day features four high-severity vulnerabilities that require immediate attention from organizations utilizing SAP infrastructure. The most severe vulnerabilities have a CVSS score of 10.0,…
-
SAP Releases Security Update to Fix Critical Code Execution and Injection Flaws
SAP has released a significant security update addressing 18 new vulnerabilities across its enterprise software portfolio, including several critical flaws related to code execution and data injection. This monthly security patch day features four high-severity vulnerabilities that require immediate attention from organizations utilizing SAP infrastructure. The most severe vulnerabilities have a CVSS score of 10.0,…
-
Devolutions Server Flaw Allows Attackers to Impersonate Users via Pre-MFA Cookie
Devolutions Server has been found vulnerable to a critical security flaw that allows low-privileged authenticated users to impersonate other accounts by replaying pre-MFA cookies. The vulnerability, identified as CVE-2025-12485, carries a critical CVSS score of 9.4 and affects all versions up to 2025.3.5. The company has released patches to address this and a second vulnerability…
-
Devolutions Server Flaw Allows Attackers to Impersonate Users via Pre-MFA Cookie
Devolutions Server has been found vulnerable to a critical security flaw that allows low-privileged authenticated users to impersonate other accounts by replaying pre-MFA cookies. The vulnerability, identified as CVE-2025-12485, carries a critical CVSS score of 9.4 and affects all versions up to 2025.3.5. The company has released patches to address this and a second vulnerability…
-
New AI Vulnerability Scoring System Announced to Address Gaps in CVSS
A new vulnerability scoring system has just been announced. The initiative, called the AI Vulnerability Scoring System (AIVSS), aims to fill the gaps left by traditional models such as the Common Vulnerability Scoring System (CVSS), which were not designed to handle the complex, non-deterministic nature of m First seen on thecyberexpress.com Jump to article: thecyberexpress.com/owasp-ai-vulnerability-scoring-system-aivss/
-
New AI Vulnerability Scoring System Announced to Address Gaps in CVSS
A new vulnerability scoring system has just been announced. The initiative, called the AI Vulnerability Scoring System (AIVSS), aims to fill the gaps left by traditional models such as the Common Vulnerability Scoring System (CVSS), which were not designed to handle the complex, non-deterministic nature of m First seen on thecyberexpress.com Jump to article: thecyberexpress.com/owasp-ai-vulnerability-scoring-system-aivss/
-
New AI Vulnerability Scoring System Announced to Address Gaps in CVSS
A new vulnerability scoring system has just been announced. The initiative, called the AI Vulnerability Scoring System (AIVSS), aims to fill the gaps left by traditional models such as the Common Vulnerability Scoring System (CVSS), which were not designed to handle the complex, non-deterministic nature of m First seen on thecyberexpress.com Jump to article: thecyberexpress.com/owasp-ai-vulnerability-scoring-system-aivss/
-
AI Engine WordPress Plugin Exposes 100,000 WordPress Sites to Privilege Escalation Attacks
A critical vulnerability discovered in the AI Engine WordPress plugin threatens over 100,000 active installations worldwide. On October 4th, 2025, security researchers identified a Sensitive Information Exposure vulnerability that allows unauthenticated attackers to extract bearer tokens and escalate their privileges to administrator level. The vulnerability, tracked as CVE-2025-11749 with a CVSS rating of 9.8 (Critical),…
-
VulnRisk: Open-source vulnerability risk assessment platform
VulnRisk is an open-source platform for vulnerability risk assessment. It goes beyond basic CVSS scoring by adding context-aware analysis that reduces noise and highlights … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/11/05/vulnrisk-open-source-vulnerability-risk-assessment-platform/
-
VulnRisk: Open-source vulnerability risk assessment platform
VulnRisk is an open-source platform for vulnerability risk assessment. It goes beyond basic CVSS scoring by adding context-aware analysis that reduces noise and highlights … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/11/05/vulnrisk-open-source-vulnerability-risk-assessment-platform/
-
VulnRisk: Open-source vulnerability risk assessment platform
VulnRisk is an open-source platform for vulnerability risk assessment. It goes beyond basic CVSS scoring by adding context-aware analysis that reduces noise and highlights … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/11/05/vulnrisk-open-source-vulnerability-risk-assessment-platform/
-
Critical RCE Bug in Leading React Native NPM Module Could Allow Full System Compromise
A severe security vulnerability has been discovered in a widely used React Native development package, potentially exposing millions of developers to remote attacks. Security researchers from JFrog recently uncovered CVE-2025-11953, a critical remote code execution flaw affecting the @react-native-community/cli NPM package, which receives approximately two million weekly downloads. The vulnerability carries a maximum CVSS score…
-
Ubiquiti Unifi Access mit Schwachstelle CVE-2025-52665 (CVSS 10.0)
Unschöne Überraschung für Nutzer und Administratoren der Zutrittskontrolllösung Unifi Access von Ubiquiti. Sicherheitsexperten sind auf eine RCE-Schwachstelle (CVE-2025-52665) gestoßen, die mit dem maximalen CVSS 3.1 Score von 10.0 bewertet wurde. Der Hersteller bietet seit dem 23. Oktober 2025 ein Update … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/11/04/ubiquiti-unify-access-mit-schwachstelle-cve-2025-52665-cvss-10-0/
-
Critical WordPress Post SMTP Plugin Vulnerability Puts 400,000 Sites at Risk of Account Takeover
A critical vulnerability has been discovered in the Post SMTP WordPress plugin, affecting over 400,000 active installations across the web. The vulnerability, identified as CVE-2025-11833 with a CVSS score of 9.8, allows unauthenticated attackers to access sensitive email logs and execute account takeover attacks on vulnerable WordPress sites. Researchers have already documented over 4,500 exploitation…
-
Ubiquiti Unify Access mit Schwachstelle CVE-2025-52665 (CVSS 10.0)
Unschöne Überraschung für Nutzer und Administratoren der Zutrittskontrolllösung Unify Access von Ubiquiti. Sicherheitsexperten sind auf eine RCE-Schwachstelle (CVE-2025-52665) gestoßen, die mit dem maximalen CVSS 3.1 Score von 10.0 bewertet wurde. Der Hersteller bietet seit dem 23. Oktober 2025 ein Update … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/11/04/ubiquiti-unify-access-mit-schwachstelle-cve-2025-52665-cvss-10-0/
-
New Attack Chains Ghost SPNs and Kerberos Reflection to Elevate SMB Privileges
Microsoft has addressed a critical privilege escalation vulnerability affecting Windows environments worldwide. Attackers can exploit misconfigured Service Principal Names (SPNs) combined with Kerberos reflection attacks to gain SYSTEM-level access on domain-joined machines, even when previous Kerberos mitigations are in place. Attribute Details CVE ID CVE-2025-58726 Vulnerability Type SMB Server Elevation of Privilege CVSS 3.1 Score…
-
New Attack Chains Ghost SPNs and Kerberos Reflection to Elevate SMB Privileges
Microsoft has addressed a critical privilege escalation vulnerability affecting Windows environments worldwide. Attackers can exploit misconfigured Service Principal Names (SPNs) combined with Kerberos reflection attacks to gain SYSTEM-level access on domain-joined machines, even when previous Kerberos mitigations are in place. Attribute Details CVE ID CVE-2025-58726 Vulnerability Type SMB Server Elevation of Privilege CVSS 3.1 Score…
-
Microsoft Issues Alert on ASP.NET Flaw Allowing HTTP Request Smuggling Attacks
Microsoft has released a critical security update addressing a severe vulnerability in ASP.NET Core that could enable attackers to execute HTTP request smuggling attacks. On October 14, 2025, the company issued patches for CVE-2025-55315, a security feature bypass flaw affecting the Kestrel web server component with an alarming CVSS score of 9.9, placing it in…
-
Apache Tomcat Flaws Allow Remote Code Execution on Vulnerable Servers
The Apache Software Foundation has disclosed two security vulnerabilities affecting multiple versions of Apache Tomcat, with one flaw posing a serious risk of remote code execution on vulnerable servers. The flaws impact Apache Tomcat versions 9, 10, and 11, prompting urgent warnings for administrators to upgrade their installations immediately. CVE ID Vulnerability Severity CVSS Score…