Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
📊
Archived Security Brief
Sunday's security landscape reveals notable activity with two maximum-severity CVSS 10.0 vulnerabilities affecting General Industrial Controls products and Desktop Alert PingAlert systems. The weekend disclosure includes 4 critical CVEs (CVSS 9.0+) and 26 high-priority vulnerabilities, representing a 25% increase in critical disclosures compared to Friday while high-priority issues decreased by 49%. Patch availability remains limited at 16%, requiring organizations to implement compensating controls for unpatched systems. Eleven actively exploited CISA KEV vulnerabilities continue to demand attention, including recent additions affecting VMware Aria Operations (CVE-2025-41244), Microsoft Windows (CVE-2025-62215), and Fortinet FortiWeb (CVE-2025-64446). Industrial control systems face heightened risk this weekend with authentication bypass flaws enabling remote device resets.
Critical CVEs: 4 critical vulnerabilities disclosed, up 25% from yesterday's 4
High-priority vulnerabilities: 26 issues requiring attention, down 49% from yesterday's 51
Patch availability: 16% of new vulnerabilities have vendor patches available
Maximum severity threats: Two CVSS 10.0 vulnerabilities in industrial controls (CVE-2025-58083, CVE-2025-54339)
Weekend security posture: Organizations should monitor industrial control systems for authentication bypass attempts
Immediate action: Immediate action: Deploy patches for the two CVSS 10.0 industrial control vulnerabilities (CVE-2025-58083 affecting General Industrial Controls Lynx+ Gateway, CVE-2025-54339 affecting Desktop Alert PingAlert). Implement network segmentation and access controls for unpatched ICS components. Priority patching recommended for 11 actively exploited CISA KEV vulnerabilities, particularly CVE-2025-64446 (Fortinet FortiWeb path traversal), CVE-2025-62215 (Microsoft Windows), and CVE-2025-41244 (VMware Aria Operations). Monitor industrial control system web interfaces for unauthorized reset attempts and unexpected device reboots.
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEVURGENT
CVE-2025-6204
9.5
Dassault SystèmesDELMIA Apriso
⏰ Federal Deadline:November 17, 2025(2 days remaining)
Dassault Systèmes DELMIA Apriso Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-6205
9.5📝
Dassault SystèmesDELMIA Apriso
⏰ Federal Deadline:November 17, 2025(2 days remaining)
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-41244
9.5📝
BroadcomVMware Aria Operations and VMware Tools
⏰ Federal Deadline:November 19, 2025(4 days remaining)
Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-24893
9.5
XWikiPlatform
⏰ Federal Deadline:November 19, 2025(4 days remaining)
XWiki Platform Eval Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-64446
9.8
A relative path traversal vulnerability in Fortinet FortiWebMultiple Products
⏰ Federal Deadline:November 20, 2025(5 days remaining)
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
CVSS Base9.8
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-48703
9.5📝
CWPControl Web Panel
⏰ Federal Deadline:November 24, 2025(9 days remaining)
CWP Control Web Panel OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-11371
9.5
GladinetCentreStack and Triofox
⏰ Federal Deadline:November 24, 2025(9 days remaining)
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-21042
9.5
SamsungMobile Devices
⏰ Federal Deadline:November 30, 2025(15 days remaining)
Samsung Mobile Devices Out-of-Bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-12480
9.5📝
GladinetTriofox
⏰ Federal Deadline:December 2, 2025(17 days remaining)
Gladinet Triofox Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-62215
9.5
MicrosoftWindows
⏰ Federal Deadline:December 2, 2025(17 days remaining)
Microsoft Windows Race Condition Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-9242
9.5
WatchGuardFirebox
⏰ Federal Deadline:December 2, 2025(17 days remaining)
WatchGuard Firebox Out-of-Bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
🚨
Critical Vulnerabilities
CVE-2025-58083
10📝
General Industrial ControlsMultiple Products
General Industrial Controls Lynx+ Gateway
is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device.
CVSS Base10
→
CRSSelect profile
⚠️
High Priority Updates
CVE-2025-63891
7.5📝
InformationMultiple Products
Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthenticated HTTP GET request to /obs/database/obs_db
CVSS Base7.5
→
CRSSelect profile
CVE-2025-64308
7.5📝
itsMultiple Products
The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle
CVSS Base7.5
→
CRSSelect profile
CVE-2025-12904
7.2📝
WordPressMultiple Products
The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0
CVSS Base7.2
→
CRSSelect profile
CVE-2024-9126
7.5📝
GoogleMultiple Products
Use after free in Internals in Google Chrome on iOS prior to 127
CVSS Base7.5
→
CRSSelect profile
CVE-2025-63680
8.6📝
NeroMultiple Products
Nero BackItUp in the Nero Productline is vulnerable to a path parsing/UI rendering flaw (CWE-22) that, in combination with Windows ShellExecuteW fallback extension resolution, leads to arbitrary code execution when a user clicks a crafted entry
CVSS Base8.6
→
CRSSelect profile
CVE-2024-7017
7.5📝
GoogleMultiple Products
Inappropriate implementation in DevTools in Google Chrome prior to 126
CVSS Base7.5
→
CRSSelect profile
CVE-2025-10686
7.2📝
WordPressMultiple Products
The Creta Testimonial Showcase WordPress plugin before 1
CVSS Base7.2
→
CRSSelect profile
CVE-2025-55034
8.2📝
GeneralMultiple Products
General Industrial Controls Lynx+ Gateway is vulnerable to a weak password requirement vulnerability, which may
allow an attacker to execute a brute-force attack resulting in
unauthorized access and login
CVSS Base8.2
→
CRSSelect profile
CVE-2025-13161
7.5📝
UnknownMultiple Products
IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files
CVSS Base7.5
→
CRSSelect profile
CVE-2025-59780
7.5📝
webMultiple Products
General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which
could allow an attacker to send GET requests to obtain sensitive device
information
CVSS Base7.5
→
CRSSelect profile
CVE-2025-62765
7.5📝
GeneralMultiple Products
General Industrial Controls Lynx+ Gateway is vulnerable to a cleartext transmission vulnerability that could allow
an attacker to observe network traffic to obtain sensitive information,
including plaintext credentials
CVSS Base7.5
→
CRSSelect profile
CVE-2025-8855
8.1📝
Optimus SoftwareMultiple Products
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information
CVSS Base8.1
→
CRSSelect profile
CVE-2025-13189
8.8📝
D-LinkMultiple Products
A vulnerability has been found in D-Link DIR-816L 2_06_b09_beta
CVSS Base8.8
→
CRSSelect profile
CVE-2025-13190
8.8📝
D-LinkMultiple Products
A vulnerability was found in D-Link DIR-816L 2_06_b09_beta
CVSS Base8.8
→
CRSSelect profile
CVE-2025-13191
8.8📝
D-LinkMultiple Products
A vulnerability was determined in D-Link DIR-816L 2_06_b09_beta
CVSS Base8.8
→
CRSSelect profile
CVE-2025-64309
8.6
BrightpickMultiple Products
Brightpick Mission Control
discloses device telemetry, configuration, and credential information
via WebSocket traffic to unauthenticated users when they connect to a
specific URL
CVSS Base8.6
→
CRSSelect profile
CVE-2025-9317
8.4
reverseMultiple Products
The vulnerability, if exploited, could allow a miscreant with read
access to Edge Project files or Edge Offline Cache files to reverse
engineer Edge users' app-native or Active Directory passwords through
computational brute-forcing of weak hashes
CVSS Base8.4
→
CRSSelect profile
CVE-2025-54346
7.6
ApplicationMultiple Products
A Reflected Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6
CVSS Base7.6
→
CRSSelect profile
CVE-2025-54345
7.5
ApplicationMultiple Products
An issue was found in the Application Server of Desktop Alert PingAlert version 6
CVSS Base7.5
→
CRSSelect profile
CVE-2025-13033
7.5
wasMultiple Products
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses
CVSS Base7.5
→
CRSSelect profile
CVE-2025-13169
7.3
ReservationMultiple Products
A security vulnerability has been detected in code-projects Simple Online Hotel Reservation System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-13170
7.3
ReservationMultiple Products
A vulnerability was detected in code-projects Simple Online Hotel Reservation System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-13204
7.3
npmMultiple Products
npm package `expr-eval` is vulnerable to Prototype Pollution
CVSS Base7.3
→
CRSSelect profile
CVE-2025-13201
7.3
OrderingMultiple Products
A vulnerability was identified in code-projects Simple Cafe Ordering System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-13203
7.3
OrderingMultiple Products
A weakness has been identified in code-projects Simple Cafe Ordering System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-64444
7.2
ImproperMultiple Products
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1