This week brought 81 critical vulnerabilities ranging from 22 on Monday to just 4 by Friday. The quality of threats remained concerning with 11 CISA KEV vulnerabilities requiring federal action and significant WordPress ecosystem security issues emerging.
Two critical vulnerabilities (CVE-2025-48928, CVE-2025-48927) with CVSS 9.5 scores exposed core dumps and insecure defaults. Added to CISA KEV with urgent federal deadlines.
CVE-2025-6554 confirmed under active exploitation, affecting millions of Chrome users worldwide. Type confusion vulnerability enables remote code execution.
Multiple critical vulnerabilities discovered across popular WordPress plugins including SureForms, Events Manager, and various form builders. SQL injection and PHP object injection dominate.
CISA added vulnerabilities from 2016 and 2019 to KEV list, indicating active exploitation of old, unpatched systems. Zimbra, PHPMailer, and Ruby on Rails affected.
Coordinated disclosure of multiple WordPress plugin vulnerabilities suggests systematic security review or potential campaign targeting WordPress sites.
Honeywell Experion PKS and OneWireless vulnerabilities indicate continued focus on critical infrastructure.
44 new KEV additions this week require immediate attention from federal agencies.
Federal agencies must remediate all KEV vulnerabilities by specified deadlines or implement compensating controls with risk acceptance documentation.
This concludes our first week of CVE Brief. Thank you for visiting and trusting us to keep you informed about critical security vulnerabilities. We're excited to continue delivering curated, actionable intelligence to help protect your organization.
See you next week!