CVE Brief - September 9, 2025

Tuesday, September 9, 2025 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Select your system profile:

Risk scores will be adjusted based on your selected environment

Archived Security Brief

This curated brief highlights 40 critical vulnerabilities and 100 high-priority updates requiring immediate attention.

193 total vulnerabilities disclosed in last 24 hours
WordPress ecosystem significantly impacted: 6 plugin/theme vulnerabilities

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

CISA Known Exploited Vulnerabilities

⚠️ CISA KEV URGENT

CVE-2025-43300

9.5 📝

Apple iOS, iPadOS, and macOS August 20, 2025

⏰ Federal Deadline: September 10, 2025 (2 days remaining)

Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-48384

9.5

Git Git August 24, 2025

⏰ Federal Deadline: September 14, 2025 (6 days remaining)

Git Link Following Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2024-8068

9.5

Citrix Session Recording August 24, 2025

⏰ Federal Deadline: September 14, 2025 (6 days remaining)

Citrix Session Recording Improper Privilege Management Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2024-8069

9.5

Citrix Session Recording August 24, 2025

⏰ Federal Deadline: September 14, 2025 (6 days remaining)

Citrix Session Recording Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-57819

9.5

Sangoma FreePBX August 28, 2025

⏰ Federal Deadline: September 18, 2025 (10 days remaining)

Sangoma FreePBX Authentication Bypass Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2020-24363

9.5

TP-Link TL-WA855RE September 1, 2025

⏰ Federal Deadline: September 22, 2025 (14 days remaining)

TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-55177

9.5 📝

Meta Platforms WhatsApp September 1, 2025

⏰ Federal Deadline: September 22, 2025 (14 days remaining)

Meta Platforms WhatsApp Incorrect Authorization Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2023-50224

9.5

TP-Link TL-WR841N September 2, 2025

⏰ Federal Deadline: September 23, 2025 (15 days remaining)

TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-9377

9.5

TP-Link Multiple Routers September 2, 2025

⏰ Federal Deadline: September 23, 2025 (15 days remaining)

TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-38352

9.5

Linux Kernel September 3, 2025

⏰ Federal Deadline: September 24, 2025 (16 days remaining)

Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-48543

9.5 📝

Android Runtime September 3, 2025

⏰ Federal Deadline: September 24, 2025 (16 days remaining)

Android Runtime Use-After-Free Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-53690

9.5 📝

Sitecore Multiple Products September 3, 2025

⏰ Federal Deadline: September 24, 2025 (16 days remaining)

Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

Critical Vulnerabilities

CVE-2025-55232

9.8 📝

Deserialization of untrusted data in Microsoft High Performance Compute Pack Multiple Products Sep 9, 2025

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-42922

9.9 📝

SAP NetWeaver AS Java allows an attacker authenticated as a Multiple Products Sep 9, 2025

SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compro...

CVSS Base 9.9

→

CRS Select profile

CVE-2025-52161

9.8 📝

Scholl Communications AG Weblication CMS Core Multiple Products Sep 8, 2025

Scholl Communications AG Weblication CMS Core v019.004.000.000 was discovered to contain a cross-site scripting (XSS) vulnerability.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-59033

9.8 📝

The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control Multiple Products Sep 8, 2025

The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. On systems that do not have hypervisor-protected code integrity (HVCI) enabled, entries...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-9113

9.8 📝

The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Multiple Products Sep 8, 2025

The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.4.8. ...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-9114

9.8 📝

The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up Multiple Products Sep 8, 2025

The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.4.8. This is due to the plugin providing user-controlled access to objects, letting ...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-58462

9.8 📝

OPEXUS FOIAXpress Public Access Link Multiple Products Sep 9, 2025

OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. A remote, unauthenticated attacker could read, write, or delete any content in the ...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-58447

9.8 📝

rAthena is an Multiple Products Sep 9, 2025

rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Versions prior to commit 2f5248b have a heap-based buffer overflow in the login server, remote ...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-10134

9.1 📝

The Goza Multiple Products Sep 9, 2025

The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in a...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-54236

9.1 📝

Adobe Commerce versions Multiple Products Sep 9, 2025

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this t...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-55727

10 📝

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Multiple Products Sep 9, 2025

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the width parameter...

CVSS Base 10

→

CRS Select profile

CVE-2025-55728

10 📝

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Multiple Products Sep 9, 2025

CVSS Base 10

→

CRS Select profile

CVE-2025-55729

10 📝

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Multiple Products Sep 9, 2025

CVSS Base 10

→

CRS Select profile

CVE-2025-55730

10 📝

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Multiple Products Sep 9, 2025

CVSS Base 10

→

CRS Select profile

CVE-2025-58762

9.1 📝

Tautulli is a Python based monitoring and tracking tool for Plex Media Multiple Products Sep 9, 2025

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. In Tautulli v2.15.3 and earlier, an attacker with administrative access can use the `pms_image_proxy` endpoint to write a...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-57141

9.8 📝

Unknown Multiple Products Sep 8, 2025

rsbi-os 4.7 is vulnerable to Remote Code Execution (RCE) in sqlite-jdbc.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-10159

9.8

An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos Multiple Products Sep 9, 2025

An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7).

CVSS Base 9.8

→

CRS Select profile

CVE-2025-47569

9.3

Improper Neutralization of Special Elements used in an SQL Command Multiple Products Sep 9, 2025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email...

CVSS Base 9.3

→

CRS Select profile

CVE-2025-42944

Due to a deserialization vulnerability in SAP Multiple Products Sep 9, 2025

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserializa...

CVSS Base 10

→

CRS Select profile

CVE-2025-22956

9.8

OPSI before Multiple Products Sep 8, 2025

OPSI before 4.3 allows any client to retrieve any ProductPropertyState, including those of other clients. This can lead to privilege escalation if any ProductPropertyState contains a secret only inten...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-58448

9.1

rAthena is an Multiple Products Sep 9, 2025

rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Versions prior to commit 0d89ae0 have a SQL Injection in the PartyBooking component via `WorldN...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-47579

Deserialization of Untrusted Data vulnerability in ThemeGoods Multiple Products Sep 9, 2025

Deserialization of Untrusted Data vulnerability in ThemeGoods Photography. This issue affects Photography: from n/a through 7.5.2.

CVSS Base 9

→

CRS Select profile

CVE-2025-55051

Unknown Multiple Products Sep 9, 2025

CWE-1392: Use of Default Credentials

CVSS Base 10

→

CRS Select profile

CVE-2025-58745

9.9 📝

WeGIA is a Web manager for charitable Multiple Products Sep 8, 2025

WeGIA is a Web manager for charitable institutions. The fix for CVE-2025-22133 was not enough to remediate the arbitrary file upload vulnerability. The WeGIA only check MIME types for Excel files at e...

CVSS Base 9.9

→

CRS Select profile

CVE-2025-56266

9.8 📝

A Host Header Injection vulnerability in Avigilon ACM Multiple Products Sep 8, 2025

A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-56267

9.8 📝

A CSV injection vulnerability in the Multiple Products Sep 8, 2025

A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-57285

9.8 📝

codeceptjs Multiple Products Sep 8, 2025

codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without s...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-40795

9.8

A vulnerability has been identified in SIMATIC PCS neo Multiple Products Sep 9, 2025

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), User Management Component (UMC) (All versions < V2.15.1.3). Affected products contain a...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-32486

9.8

Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Multiple Products Sep 9, 2025

Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard. This issue affects Material Dashboard: from n/a through 1.4.6.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-55048

9.8

Multiple Multiple Products Sep 9, 2025

Multiple CWE-78

CVSS Base 9.8

→

CRS Select profile

CVE-2025-55050

9.8

Unknown Multiple Products Sep 9, 2025

CWE-1242: Inclusion of Undocumented Features

CVSS Base 9.8

→

CRS Select profile

CVE-2025-59046

9.8

The npm package Multiple Products Sep 9, 2025

The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as a...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-58997

9.6

Unknown Multiple Products Sep 9, 2025

Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow allows Code Injection. This issue affects Mow: from n/a through 4.10.

CVSS Base 9.6

→

CRS Select profile

CVE-2025-58768

9.6

DeepChat is a smart assistant uses artificial Multiple Products Sep 9, 2025

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user conte...

CVSS Base 9.6

→

CRS Select profile

CVE-2025-42958

9.1

Due to a missing authentication check in the SAP NetWeaver application on IBM Multiple Products Sep 9, 2025

Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as w...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-40804

9.1

A vulnerability has been identified in SIMATIC Virtualization as a Service Multiple Products Sep 9, 2025

A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions). The affected application exposes a network share without any authentication. This could allow an att...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-10183

9.1

A blind XML External Entity Multiple Products Sep 9, 2025

A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. ...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-55049

9.1

Use of Default Cryptographic Key Multiple Products Sep 9, 2025

Use of Default Cryptographic Key (CWE-1394)

CVSS Base 9.1

→

CRS Select profile

CVE-2025-58746

9 📝

The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external Multiple Products Sep 8, 2025

The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious acto...

CVSS Base 9

→

CRS Select profile

CVE-2025-54261

ColdFusion versions Multiple Products Sep 9, 2025

ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary co...

CVSS Base 9

→

CRS Select profile

High Priority Updates

CVE-2025-54113

8.8 📝

Unknown Multiple Products September 9, 2025

Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network

CVSS Base 8.8

→

CRS Select profile

CVE-2025-54106

8.8 📝

Integer Multiple Products September 9, 2025

Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network

CVSS Base 8.8

→

CRS Select profile

CVE-2025-54709

8.1 📝

uxper Multiple Products September 9, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Sala

CVSS Base 8.1

→

CRS Select profile

CVE-2025-58215

8.1 📝

Improper Multiple Products September 9, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Ziston allows PHP Local File Inclusion

CVSS Base 8.1

→

CRS Select profile

CVE-2025-48101

8.8 📝

WordPress Multiple Products September 9, 2025

Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection

CVSS Base 8.8

→

CRS Select profile

CVE-2025-53303

8.8 📝

ThemeMove Multiple Products September 9, 2025

Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core allows Object Injection

CVSS Base 8.8

→

CRS Select profile

CVE-2025-54897

8.8 📝

Microsoft Multiple Products September 9, 2025

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network

CVSS Base 8.8

→

CRS Select profile

CVE-2025-47571

7.5 📝

highwarden Super Multiple Products September 9, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in highwarden Super Store Finder

CVSS Base 7.5

→

CRS Select profile

CVE-2025-54910

8.4 📝

Microsoft Multiple Products September 9, 2025

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally

CVSS Base 8.4

→

CRS Select profile

CVE-2025-54102

7.8 📝

Use Multiple Products September 9, 2025

Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54111

7.8 📝

Use Multiple Products September 9, 2025

Use after free in Windows UI XAML Phone DatePickerFlyout allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54896

7.8 📝

Microsoft Multiple Products September 9, 2025

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54900

7.8 📝

Microsoft Multiple Products September 9, 2025

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54903

7.8 📝

Microsoft Multiple Products September 9, 2025

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54904

7.8 📝

Microsoft Multiple Products September 9, 2025

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54907

7.8

Microsoft Multiple Products September 9, 2025

Heap-based buffer overflow in Microsoft Office Visio allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54908

7.8

Microsoft Multiple Products September 9, 2025

Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54912

7.8

Use Multiple Products September 9, 2025

Use after free in Windows BitLocker allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54916

7.8

Unknown Multiple Products September 9, 2025

Stack-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-9112

8.8 📝

WordPress Multiple Products September 9, 2025

The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1

CVSS Base 8.8

→

CRS Select profile

CVE-2025-54110

8.8

Integer Multiple Products September 9, 2025

Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally

CVSS Base 8.8

→

CRS Select profile

CVE-2025-54918

8.8

Improper Multiple Products September 9, 2025

Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network

CVSS Base 8.8

→

CRS Select profile

CVE-2025-8085

8.6 📝

WordPress Multiple Products September 9, 2025

The Ditty WordPress plugin before 3

CVSS Base 8.6

→

CRS Select profile

CVE-2025-55849

8.4 📝

WeiPHP Multiple Products September 9, 2025

WeiPHP v5

CVSS Base 8.4

→

CRS Select profile

CVE-2025-33045

8.2

APTIOV Multiple Products September 9, 2025

APTIOV contains vulnerabilities in the BIOS where a privileged user may cause “Write-what-where Condition” and “Exposure of Sensitive Information to an Unauthorized Actor” through local access

CVSS Base 8.2

→

CRS Select profile

CVE-2025-42916

8.1

missing Multiple Products September 9, 2025

Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group

CVSS Base 8.1

→

CRS Select profile

CVE-2025-42929

8.1

missing Multiple Products September 9, 2025

CVSS Base 8.1

→

CRS Select profile

CVE-2025-9539

WordPress Multiple Products September 9, 2025

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5

CVSS Base 8

→

CRS Select profile

CVE-2025-49692

7.8

Improper Multiple Products September 9, 2025

Improper access control in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-53800

7.8

Microsoft Multiple Products September 9, 2025

No cwe for this issue in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-53801

7.8

Untrusted Multiple Products September 9, 2025

Untrusted pointer dereference in Windows DWM allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54091

7.8

Integer Multiple Products September 9, 2025

Integer overflow or wraparound in Windows Hyper-V allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54092

7.8

Concurrent Multiple Products September 9, 2025

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54098

7.8

Improper Multiple Products September 9, 2025

Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54895

7.8

Integer Multiple Products September 9, 2025

Integer overflow or wraparound in Windows SPNEGO Extended Negotiation allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54898

7.8

Microsoft Multiple Products September 9, 2025

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54899

7.8

Microsoft Multiple Products September 9, 2025

Free of memory not on the heap in Microsoft Office Excel allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54902

7.8

Microsoft Multiple Products September 9, 2025

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54906

7.8

Microsoft Multiple Products September 9, 2025

Free of memory not on the heap in Microsoft Office allows an unauthorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54913

7.8

Concurrent Multiple Products September 9, 2025

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows UI XAML Maps MapControlSettings allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-55224

7.8

Concurrent Multiple Products September 9, 2025

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-55228

7.8

Concurrent Multiple Products September 9, 2025

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-55316

7.8

External Multiple Products September 9, 2025

External control of file name or path in Azure Arc allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-55317

7.8

Microsoft Multiple Products September 9, 2025

Improper link resolution before file access ('link following') in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54257

7.8

Reader Multiple Products September 9, 2025

Acrobat Reader versions 24

CVSS Base 7.8

→

CRS Select profile

CVE-2025-49459

7.8

Zoom Multiple Products September 9, 2025

Missing authorization in the installer for Zoom Workplace for Windows on ARM before version 6

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54248

7.7

Adobe Multiple Products September 9, 2025

Adobe Experience Manager versions 6

CVSS Base 7.7

→

CRS Select profile

CVE-2025-9712

8.8

Endpoint Multiple Products September 9, 2025

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution

CVSS Base 8.8

→

CRS Select profile

CVE-2025-9872

8.8

Endpoint Multiple Products September 9, 2025

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution

CVSS Base 8.8

→

CRS Select profile

CVE-2025-58760

8.6

Media Multiple Products September 9, 2025

Tautulli is a Python based monitoring and tracking tool for Plex Media Server

CVSS Base 8.6

→

CRS Select profile

CVE-2025-58761

8.6

Media Multiple Products September 9, 2025

Tautulli is a Python based monitoring and tracking tool for Plex Media Server

CVSS Base 8.6

→

CRS Select profile

CVE-2025-58763

Media Multiple Products September 9, 2025

Tautulli is a Python based monitoring and tracking tool for Plex Media Server

CVSS Base 8

→

CRS Select profile

CVE-2025-42933

8.8

native Multiple Products September 9, 2025

When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs

CVSS Base 8.8

→

CRS Select profile

CVE-2025-41664

7.5 📝

A Multiple Products September 9, 2025

A low-privileged remote attacker could gain unauthorized access to critical resources, such as firmware and certificates, due to improper permission handling during the runtime of services (e

CVSS Base 7.5

→

CRS Select profile

CVE-2025-58993

7.6

Themeum Tutor LMS Multiple Products September 9, 2025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection

CVSS Base 7.6

→

CRS Select profile

CVE-2025-59008

7.6

PressTigers ZIP Code Multiple Products September 9, 2025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PressTigers ZIP Code Based Content Protection allows SQL Injection

CVSS Base 7.6

→

CRS Select profile

CVE-2025-55145

8.9

Secure Multiple Products September 9, 2025

Missing authorization in Ivanti Connect Secure before 22

CVSS Base 8.9

→

CRS Select profile

CVE-2025-41682

8.8 📝

An Multiple Products September 9, 2025

An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password

CVSS Base 8.8

→

CRS Select profile

CVE-2025-36855

8.8 📝

A vulnerability Multiple Products September 9, 2025

A vulnerability ( CVE-2025-21176 https://www

CVSS Base 8.8

→

CRS Select profile

CVE-2025-56265

8.8 📝

Chat Trigger Multiple Products September 9, 2025

An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1

CVSS Base 8.8

→

CRS Select profile

CVE-2025-52389

8.8 📝

Insecure Multiple Products September 9, 2025

An Insecure Direct Object Reference (IDOR) in Envasadora H2O Eireli - Soda Cristal v40

CVSS Base 8.8

→

CRS Select profile

CVE-2025-58755

8.8

MONAI Multiple Products September 9, 2025

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging

CVSS Base 8.8

→

CRS Select profile

CVE-2025-58756

8.8

MONAI Multiple Products September 9, 2025

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging

CVSS Base 8.8

→

CRS Select profile

CVE-2025-58757

8.8

MONAI Multiple Products September 9, 2025

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging

CVSS Base 8.8

→

CRS Select profile

CVE-2025-10120

8.8

was Multiple Products September 9, 2025

A vulnerability was detected in Tenda AC20 up to 16

CVSS Base 8.8

→

CRS Select profile

CVE-2025-55141

8.8

Secure Multiple Products September 9, 2025

Missing authorization in Ivanti Connect Secure before 22

CVSS Base 8.8

→

CRS Select profile

CVE-2025-55142

8.8

Secure Multiple Products September 9, 2025

Missing authorization in Ivanti Connect Secure before 22

CVSS Base 8.8

→

CRS Select profile

CVE-2025-55147

8.8

Secure Multiple Products September 9, 2025

CSRF in Ivanti Connect Secure before 22

CVSS Base 8.8

→

CRS Select profile

CVE-2025-55227

8.8

SQL Multiple Products September 9, 2025

Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network

CVSS Base 8.8

→

CRS Select profile

CVE-2025-55234

8.8

SMB Multiple Products September 9, 2025

SMB Server might be susceptible to relay attacks depending on the configuration

CVSS Base 8.8

→

CRS Select profile

CVE-2025-10169

8.8

weakness Multiple Products September 9, 2025

A weakness has been identified in UTT 1200GW up to 3

CVSS Base 8.8

→

CRS Select profile

CVE-2025-10170

8.8

security Multiple Products September 9, 2025

A security vulnerability has been detected in UTT 1200GW up to 3

CVSS Base 8.8

→

CRS Select profile

CVE-2025-10171

8.8

was Multiple Products September 9, 2025

A vulnerability was detected in UTT 1250GW up to 3

CVSS Base 8.8

→

CRS Select profile

CVE-2025-10172

8.8

flaw Multiple Products September 9, 2025

A flaw has been found in UTT 750W up to 3

CVSS Base 8.8

→

CRS Select profile

CVE-2025-54256

8.6

Desktop Multiple Products September 9, 2025

Dreamweaver Desktop versions 21

CVSS Base 8.6

→

CRS Select profile

CVE-2025-55047

8.4

Unknown Multiple Products September 9, 2025

CWE-798 Use of Hard-coded Credentials

CVSS Base 8.4

→

CRS Select profile

CVE-2025-23342

8.2

NVIDIA Multiple Products September 9, 2025

The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to gain access to a privileged account

CVSS Base 8.2

→

CRS Select profile

CVE-2025-58750

8.2

rAthena Multiple Products September 9, 2025

rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server

CVSS Base 8.2

→

CRS Select profile

CVE-2025-36854

8.1 📝

A vulnerability Multiple Products September 9, 2025

A vulnerability ( CVE-2024-38229 https://www

CVSS Base 8.1

→

CRS Select profile

CVE-2025-55998

8.1 📝

Smart Search Multiple Products September 9, 2025

A cross-site scripting (XSS) vulnerability in Smart Search & Filter Shopify App 1

CVSS Base 8.1

→

CRS Select profile

CVE-2025-41701

7.8

affected Multiple Products September 9, 2025

An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54894

7.8

Local Multiple Products September 9, 2025

Local Security Authority Subsystem Service Elevation of Privilege Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-55245

7.8

Improper Multiple Products September 9, 2025

Improper link resolution before file access ('link following') in Xbox allows an authorized attacker to elevate privileges locally

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54242

7.8

Pro Multiple Products September 9, 2025

Premiere Pro versions 25

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54243

7.8

Viewer Multiple Products September 9, 2025

Substance3D - Viewer versions 0

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54244

7.8

Viewer Multiple Products September 9, 2025

Substance3D - Viewer versions 0

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54245

7.8

Viewer Multiple Products September 9, 2025

Substance3D - Viewer versions 0

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54258

7.8

Modeler Multiple Products September 9, 2025

Substance3D - Modeler versions 1

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54259

7.8

Modeler Multiple Products September 9, 2025

Substance3D - Modeler versions 1

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54260

7.8

Modeler Multiple Products September 9, 2025

Substance3D - Modeler versions 1

CVSS Base 7.8

→

CRS Select profile

CVE-2025-55148

7.6

Secure Multiple Products September 9, 2025

Missing authorization in Ivanti Connect Secure before 22

CVSS Base 7.6

→

CRS Select profile

CVE-2025-23343

7.6

NVIDIA Multiple Products September 9, 2025

The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to write files to restricted components

CVSS Base 7.6

→

CRS Select profile

CVE-2025-36853

7.5 📝

A vulnerability Multiple Products September 9, 2025

A vulnerability (CVE-2025-21172) exists in msdia140

CVSS Base 7.5

→

CRS Select profile

CVE-2025-40928

7.5 📝

before Multiple Products September 9, 2025

JSON::XS before version 4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-40930

7.5 📝

before Multiple Products September 9, 2025

JSON::SIMD before version 1

CVSS Base 7.5

→

CRS Select profile

CVE-2025-52288

7.5 📝

Assertion Multiple Products September 9, 2025

Assertion failure in function ngap_build_downlink_nas_transport in file src/amf/ngap-build

CVSS Base 7.5

→

CRS Select profile

CVE-2025-40796

7.5

has Multiple Products September 9, 2025

A vulnerability has been identified in SIMATIC PCS neo V4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-40797

7.5

has Multiple Products September 9, 2025

A vulnerability has been identified in SIMATIC PCS neo V4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-40798

7.5

has Multiple Products September 9, 2025

A vulnerability has been identified in SIMATIC PCS neo V4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-32689

7.5

ThemesGrove WP Multiple Products September 9, 2025

Improper Validation of Specified Quantity in Input vulnerability in ThemesGrove WP SmartPay

CVSS Base 7.5

→

CRS Select profile

Archived Security Snapshot

🎯 SSCV Profile

📊 Archived Security Brief

Section Navigation

⚠️ CISA Known Exploited Vulnerabilities

🚨 Critical Vulnerabilities

⚠️ High Priority Updates

Archived Security Brief

CISA Known Exploited Vulnerabilities

Critical Vulnerabilities

High Priority Updates