Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Archived Security Brief
Friday's vulnerability landscape demonstrates significant escalation with 12 critical vulnerabilities (100% increase from yesterday's 6), including two maximum severity CVSS 10.0 issues affecting Azure Bastion and The Itel DAB Encoder. High-priority CVEs decreased 20% from 71 to 57, while nine actively exploited CISA KEV vulnerabilities (13% increase from 8) require priority weekend remediation. The disclosure environment includes eight CVSS 9.8 vulnerabilities enabling unauthenticated remote code execution and authentication bypass attacks. Patch availability declined to 17% from yesterday's 24%, requiring organizations to maintain compensating controls heading into the weekend.
Critical CVE count doubled from 6 to 12 vulnerabilities, representing a 100% increase in maximum severity disclosures
Two CVSS 10.0 vulnerabilities require immediate assessment: CVE-2025-49752 (Azure Bastion) and CVE-2025-63224 (Itel DAB Encoder)
CVE-2025-12057, CVE-2025-59245, CVE-2025-63218, CVE-2025-63223, CVE-2025-10437, CVE-2025-63206, CVE-2025-63210 (CVSS 9.8) enable unauthenticated attacks across enterprise and broadcast infrastructure
High-priority vulnerabilities decreased 20% from 71 to 57 CVEs, suggesting focused critical disclosure activity
Patch availability declined to 17% (down from 24%), requiring weekend deployment of network segmentation and access controls
Nine actively exploited CISA KEV vulnerabilities (13% increase) demand priority remediation before weekend staffing reductions
Immediate action: URGENT WEEKEND ACTION: Security teams must immediately assess CVE-2025-49752 (CVSS 10.0) affecting Azure Bastion cloud infrastructure and CVE-2025-63224 (CVSS 10.0) affecting Itel DAB Encoder systems. Priority patching should address the eight CVSS 9.8 unauthenticated remote code execution and authentication bypass vulnerabilities, particularly CVE-2025-59245 (SharePoint Online), CVE-2025-12057 (WordPress WavePlayer), and CVE-2025-63206 (Dasan Switch) where vendor patches may be available. With only 17% patch availability and weekend approaching, organizations must deploy network segmentation, restrict administrative access, and implement Web Application Firewalls with command injection and authentication bypass detection rules. The nine actively exploited CISA KEV vulnerabilities require immediate remediation before weekend staffing reductions limit response capabilities.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2025-64446
9.5
FortinetFortiWeb
β° Federal Deadline:November 20, 2025(1 days remaining)
Fortinet FortiWeb Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-58034
9.5π
FortinetFortiWeb
β° Federal Deadline:November 24, 2025(5 days remaining)
Fortinet FortiWeb OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-48703
9.5π
CWPControl Web Panel
β° Federal Deadline:November 24, 2025(5 days remaining)
CWP Control Web Panel OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-11371
9.5
GladinetCentreStack and Triofox
β° Federal Deadline:November 24, 2025(5 days remaining)
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-21042
9.5
SamsungMobile Devices
β° Federal Deadline:November 30, 2025(11 days remaining)
Samsung Mobile Devices Out-of-Bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-12480
9.5π
GladinetTriofox
β° Federal Deadline:December 2, 2025(13 days remaining)
Gladinet Triofox Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-62215
9.5
MicrosoftWindows
β° Federal Deadline:December 2, 2025(13 days remaining)
Microsoft Windows Race Condition Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-9242
9.5
WatchGuardFirebox
β° Federal Deadline:December 2, 2025(13 days remaining)
WatchGuard Firebox Out-of-Bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-13223
9.5π
GoogleChromium V8
β° Federal Deadline:December 9, 2025(20 days remaining)
Google Chromium V8 Type Confusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2025-49752
10
Azure Bastion Elevation of PrivilegeMultiple Products
Azure Bastion Elevation of Privilege Vulnerability
CVSS Base10
β
CRSSelect profile
CVE-2025-12057
9.8π
The WavePlayer WordPress plugin beforeMultiple Products
The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE
CVSS Base9.8
β
CRSSelect profile
CVE-2025-59245
9.8
Microsoft SharePoint Online Elevation of PrivilegeMultiple Products
Microsoft SharePoint Online Elevation of Privilege Vulnerability
CVSS Base9.8
β
CRSSelect profile
CVE-2025-63218
9.8π
The Axel TechnologyMultiple Products
The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-63223
9.8
The Axel Technology StreamerMAX MK II devicesMultiple Products
The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-63224
10π
The Itel DAB EncoderMultiple Products
The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.
CVSS Base10
β
CRSSelect profile
CVE-2025-10437
9.8π
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. Webpack Management System allows SQL Injection.This issue affects Webpack Management System: through 20251119.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-63206
9.8
An authentication bypass issue was discovered in Dasan SwitchMultiple Products
An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted cookies in the web browser.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-63210
9.8π
The Newtec Celox UHDMultiple Products
The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. An attacker can exploit this issue by modifying intercepted responses from the /celoxservice endpoint. By injecting a forged response body during the loginWithUserName flow, the attacker can gain Superuser or Operator access without providing valid credentials.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-10571
9.6
Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB AbilityMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB Ability Edgenius.This issue affects ABB Ability Edgenius: 3.2.0.0, 3.2.1.1.
CVSS Base9.6
β
CRSSelect profile
CVE-2025-63207
9.8
TheMultiple Products
The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. An attacker can send an unauthenticated POST request to change the Admin, Operator, and User passwords, resulting in complete system compromise.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-65021
9.1π
Rallly is anMultiple Products
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other usersβ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.
CVSS Base9.1
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2025-13035
8π
WordPressMultiple Products
The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3
CVSS Base8
β
CRSSelect profile
CVE-2025-13145
7.2π
WordPressMultiple Products
The WP Import β Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7
CVSS Base7.2
β
CRSSelect profile
CVE-2025-12646
7.5π
WordPressMultiple Products
The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'dayofyear' parameter in all versions up to, and including, 1
CVSS Base7.5
β
CRSSelect profile
CVE-2025-62207
8.6
AzureMultiple Products
Azure Monitor Elevation of Privilege Vulnerability
CVSS Base8.6
β
CRSSelect profile
CVE-2025-62459
8.3
MicrosoftMultiple Products
Microsoft Defender Portal Spoofing Vulnerability
CVSS Base8.3
β
CRSSelect profile
CVE-2025-63889
7.5
fetchMultiple Products
The fetch function in file thinkphp\library\think\Template
CVSS Base7.5
β
CRSSelect profile
CVE-2025-12484
7.2
WordPressMultiple Products
The Giveaways and Contests by RafflePress β Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1
CVSS Base7.2
β
CRSSelect profile
CVE-2025-13206
7.2
WordPressMultiple Products
The GiveWP β Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βnameβ parameter in all versions up to, and including, 4
CVSS Base7.2
β
CRSSelect profile
CVE-2025-40601
7.5
SonicOS SSLVPNMultiple Products
A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63220
7.2
TheMultiple Products
The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package
CVSS Base7.2
β
CRSSelect profile
CVE-2025-11001
7
UnknownMultiple Products
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability
CVSS Base7
β
CRSSelect profile
CVE-2025-11230
7.5
InefficientMultiple Products
Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63209
7.5
ControlMultiple Products
The ELCA Star Transmitter Remote Control firmware 1
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63932
7.3
D-LinkMultiple Products
D-Link Router DIR-868L A1 FW106KRb01
CVSS Base7.3
β
CRSSelect profile
CVE-2025-13400
8.8
wasMultiple Products
A vulnerability was detected in Tenda CH22 1
CVSS Base8.8
β
CRSSelect profile
CVE-2025-65103
8.8
OpenSTAManagerMultiple Products
OpenSTAManager is an open source management software for technical assistance and invoicing
CVSS Base8.8
β
CRSSelect profile
CVE-2025-13445
8.8
flawMultiple Products
A flaw has been found in Tenda AC21 16
CVSS Base8.8
β
CRSSelect profile
CVE-2025-13446
8.8
hasMultiple Products
A vulnerability has been found in Tenda AC21 16
CVSS Base8.8
β
CRSSelect profile
CVE-2025-48986
8.8
ReviveMultiple Products
Authorization bypass in Revive Adserver 5
CVSS Base8.8
β
CRSSelect profile
CVE-2025-36072
8.8
IBMMultiple Products
IBM webMethods Integration 10
CVSS Base8.8
β
CRSSelect profile
CVE-2025-64655
8.8
ImproperMultiple Products
Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network
CVSS Base8.8
β
CRSSelect profile
CVE-2025-52668
8.7
ImproperMultiple Products
Improper input neutralization in the stats-conversions
CVSS Base8.7
β
CRSSelect profile
CVE-2025-65025
8.2
UnknownMultiple Products
esm
CVSS Base8.2
β
CRSSelect profile
CVE-2025-65029
8.1
RalllyMultiple Products
Rallly is an open-source scheduling and collaboration tool
CVSS Base8.1
β
CRSSelect profile
CVE-2025-65033
8.1
RalllyMultiple Products
Rallly is an open-source scheduling and collaboration tool
CVSS Base8.1
β
CRSSelect profile
CVE-2025-65034
8.1
RalllyMultiple Products
Rallly is an open-source scheduling and collaboration tool
CVSS Base8.1
β
CRSSelect profile
CVE-2025-64759
8.1
HomarrMultiple Products
Homarr is an open-source dashboard
CVSS Base8.1
β
CRSSelect profile
CVE-2025-63219
7.5
ITELMultiple Products
The ITEL ISO FM SFN Adapter (firmware ISO2 2
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63205
7.5
firmwareMultiple Products
An issue was discovered in bridgetech probes VB220 IP Network Probe,VB120 Embedded IP + RF Probe, VB330 High-Capacity Probe, VB440 ST 2110 Production Analytics Probe, and NOMAD, firmware versions 6
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63208
7.5
firmwareMultiple Products
An issue was discovered in bridgetech VB288 Objective QoE Content Extractor, firmware version 5
CVSS Base7.5
β
CRSSelect profile
CVE-2025-51661
7.5
pathMultiple Products
A path Traversal vulnerability found in FileCodeBox v2
CVSS Base7.5
β
CRSSelect profile
CVE-2025-51663
7.5
foundMultiple Products
A vulnerability found in IPRateLimit implementation of FileCodeBox up to 2
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63371
7.5
ParipovicMultiple Products
Milos Paripovic OneCommander 3
CVSS Base7.5
β
CRSSelect profile
CVE-2025-60738
7.5
issueMultiple Products
An issue in Ilevia EVE X1 Server Firmware Version v4
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63700
7.5
issueMultiple Products
An issue was discovered in Clerk-js 5
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63685
7.5
QuarkMultiple Products
Quark Cloud Drive v3
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63807
7.5
issueMultiple Products
An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13)
CVSS Base7.5
β
CRSSelect profile
CVE-2025-13395
7.3
securityMultiple Products
A security flaw has been discovered in codehub666 94list up to 5831c8240e99a72b7d3508c79ef46ae4b96befe8
CVSS Base7.3
β
CRSSelect profile
CVE-2025-13410
7.3
OnlineMultiple Products
A vulnerability has been found in Campcodes Retro Basketball Shoes Online Store 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-63719
7.3
ManagementMultiple Products
Campcodes Online Hospital Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-13420
7.3
ManagementMultiple Products
A weakness has been identified in itsourcecode Human Resource Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-13421
7.3
ManagementMultiple Products
A security vulnerability has been detected in itsourcecode Human Resource Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-13422
7.3
ManagementMultiple Products
A vulnerability was detected in freeprojectscodes Sports Club Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-13442
7.3
securityMultiple Products
A security vulnerability has been detected in UTT θΏε 750W up to 3
CVSS Base7.3
β
CRSSelect profile
CVE-2025-13449
7.3
ShopMultiple Products
A vulnerability was found in code-projects Online Shop Project 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-13451
7.3
ShopMultiple Products
A vulnerability was identified in SourceCodester Online Shop Project 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-12120
7.3
LiteMultiple Products
Lite XL versions 2
CVSS Base7.3
β
CRSSelect profile
CVE-2025-12121
7.3
LiteMultiple Products
Lite XL versions 2
CVSS Base7.3
β
CRSSelect profile
CVE-2025-65022
7.2
UnknownMultiple Products
i-Educar is free, fully online school management software
CVSS Base7.2
β
CRSSelect profile
CVE-2025-65023
7.2
UnknownMultiple Products
i-Educar is free, fully online school management software
CVSS Base7.2
β
CRSSelect profile
CVE-2025-65024
7.2
UnknownMultiple Products
i-Educar is free, fully online school management software
CVSS Base7.2
β
CRSSelect profile
CVE-2025-0643
7.2
Narkom CommunicationMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Narkom Communication and Software Technologies Trade Ltd
CVSS Base7.2
β
CRSSelect profile
CVE-2025-0645
7.2
Narkom CommunicationMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in Narkom Communication and Software Technologies Trade Ltd
CVSS Base7.2
β
CRSSelect profile
CVE-2025-64764
7.1
AstroMultiple Products
Astro is a web framework
CVSS Base7.1
β
CRSSelect profile
CVE-2025-65030
7.1
RalllyMultiple Products
Rallly is an open-source scheduling and collaboration tool
CVSS Base7.1
β
CRSSelect profile
CVE-2025-52670
7.1
ReviveMultiple Products
Missing authorization check in Revive Adserver 5
CVSS Base7.1
β
CRSSelect profile
CVE-2025-13433
7
GroupMultiple Products
A security flaw has been discovered in Muse Group MuseHub 2