An issue was discovered in the Thermo Fisher Torrent Suite Django application 5
Description
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5
Search and filter 17282 vulnerabilities with AI analyst insights
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5
An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The di...
An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11 access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Update An issue was discovered on Thermo Fisher Ion Torrent OneTouch Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionad...
The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges.
---METADATA---
VENDOR: Thermo Fisher
PRODUCT: Torrent Suite Django application
AFFECTED_VERSIONS: 5.18.1
CONFIDENCE: high
MISSING: patch
---END_METADATA---
Description Summary:
The Thermo Fisher Torrent Suite Django application 5.18.1 contains weak default administrative credentials that are not enforced to be changed, allowing unauthorized access to the Django ORM API.
Executive Summary:
A critical vulnerability in the Thermo Fisher Torrent Suite Django application allows unauthenticated attackers to gain administrative access via hardcoded default credentials.
Vulnerability Details
CVE-ID: CVE-2025-54303
Affected Software: Thermo Fisher Torrent Suite Django application
Affected Versions: 5.18.1
Vulnerability: This vulnerability involves the use of weak, hardcoded default credentials for the "ionadmin" account within the Django ORM API. Because the software fails to enforce a password change policy, attackers can easily authenticate with administrative privileges.
Business Impact
The exploitation of this vulnerability grants an attacker full administrative control over the application. Given the CVSS score of 9.8, this poses a severe risk of total system compromise, unauthorized data access, and potential manipulation of sensitive sequencing data. The lack of enforced credential rotation significantly increases the likelihood of successful lateral movement within the network.
Remediation Plan
Immediate Action: Change the default "ionadmin" password immediately to a complex, unique string and implement an organizational policy for credential rotation.
Proactive Monitoring: Review access logs for successful logins originating from unauthorized or unexpected IP addresses, particularly those targeting the Django ORM API.
Compensating Controls: Restrict network access to the Torrent Suite application using access control lists (ACLs) or a firewall to ensure it is not exposed to untrusted networks.
Exploitation Status
Public Exploit Available: N/A
Analyst Notes: As of Dec 4, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This vulnerability represents a significant security oversight that provides trivial access to administrative functions. Administrators must prioritize updating credentials immediately and ensuring the application is isolated from public-facing network segments to mitigate the risk of unauthorized access.
Update The Thermo Fisher Torrent Suite Django application Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Animate versions 23
Animate versions 23
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Bridge versions 14
Bridge versions 14
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Adobe Commerce versions 2
Adobe Commerce versions 2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Adobe Commerce versions 2
Adobe Commerce versions 2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Substance3D - Stager versions 3
Substance3D - Stager versions 3
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Travers...
ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary co...
---METADATA---
VENDOR: Adobe
PRODUCT: ColdFusion
AFFECTED_VERSIONS: 2025.3, 2023.15, 2021.21 and earlier
CONFIDENCE: high
MISSING: exploit_status, technical_details
---END_METADATA---
Description Summary:
Adobe ColdFusion contains a Path Traversal vulnerability that allows unauthorized parties to read or access files outside of the intended directory.
Executive Summary:
Adobe ColdFusion is susceptible to a path traversal vulnerability that could allow attackers to access restricted directories, posing a severe risk to sensitive data.
Vulnerability Details
CVE-ID: CVE-2025-54261
Affected Software: Adobe ColdFusion
Affected Versions: 2025.3, 2023.15, 2021.21 and earlier
Vulnerability: This is an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability. It allows an attacker to escape the web root and access sensitive files on the host filesystem.
Business Impact
The CVSS score of 9.0 reflects the critical nature of this flaw, as it can lead to the unauthorized disclosure of sensitive configuration files, credentials, or system data. Such access facilitates further exploitation and may result in a total compromise of the application environment.
Remediation Plan
Immediate Action: Upgrade to the latest version of Adobe ColdFusion as specified in the vendor's security advisory to remediate the path traversal flaw.
Proactive Monitoring: Review web server access logs for patterns containing directory traversal sequences such as "../" or unusual file access attempts.
Compensating Controls: Ensure the web server process is running with the principle of least privilege, restricting its ability to access files outside of the designated web root.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Sep 9, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Path traversal vulnerabilities in server-side technologies like ColdFusion are frequently targeted. Administrators must prioritize applying the provided vendor patches immediately to prevent unauthorized access to the underlying server files.
Update ColdFusion versions Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Substance3D - Modeler versions 1
Substance3D - Modeler versions 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Substance3D - Modeler versions 1
Substance3D - Modeler versions 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Substance3D - Modeler versions 1
Substance3D - Modeler versions 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Acrobat Reader versions 24
Acrobat Reader versions 24
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Dreamweaver Desktop versions 21
Dreamweaver Desktop versions 21
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Adobe Experience Manager versions 6
Adobe Experience Manager versions 6
Executive Summary:
A high-severity vulnerability has been identified in Adobe Experience Manager (AEM), a widely used content management system. Successful exploitation could allow a remote, unauthenticated attacker to take complete control of the affected server, potentially leading to significant data breaches, website defacement, and service disruption. Organizations are strongly advised to apply the vendor-provided security patches immediately to mitigate this critical risk.
Vulnerability Details
CVE-ID: CVE-2025-54254
Affected Software: Adobe Experience Manager
Affected Versions: Adobe Experience Manager versions 6.x. See vendor advisory for specific affected versions.
Vulnerability: The vulnerability exists due to improper input validation in a core component of Adobe Experience Manager. A remote, unauthenticated attacker can send a specially crafted request to a publicly exposed endpoint. This request can trigger a deserialization flaw, allowing the attacker to execute arbitrary code on the underlying server with the privileges of the AEM service account, leading to a full system compromise.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.6. Exploitation could have a severe and direct impact on the business. Potential consequences include the theft of sensitive data managed within AEM, such as customer information or proprietary intellectual property. An attacker could also deface public-facing websites, causing significant reputational damage, or use the compromised server as a foothold to launch further attacks against the internal corporate network. The complete loss of confidentiality, integrity, and availability of the AEM platform is possible.
Remediation Plan
Immediate Action:
The primary remediation is to apply the security updates provided by Adobe across all vulnerable AEM instances. Before deployment to production environments, these patches should be tested in a staging environment to ensure compatibility and stability. All relevant change management procedures should be followed.
Proactive Monitoring:
Security teams should actively monitor for signs of compromise. This includes reviewing AEM application and web server access logs for unusual or malformed requests, especially to unexpected endpoints. Monitor system-level events for suspicious processes spawned by the AEM service. Network monitoring should be configured to detect anomalous outbound traffic from AEM servers, which could indicate data exfiltration.
Compensating Controls:
If immediate patching is not feasible, implement the following compensating controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of August 5, 2025, there is no known public proof-of-concept exploit code available, and there are no reports of this vulnerability being actively exploited in the wild. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the public disclosure of a high-severity vulnerability often precedes active scanning and exploitation attempts by threat actors.
Analyst Recommendation
Given the high CVSS score of 8.6 and the critical role of AEM in managing digital assets and web content, this vulnerability poses a significant risk to the organization. We strongly recommend that the vendor-supplied patches be applied as a top priority, starting with internet-facing systems. Although there is no current evidence of exploitation, the severity of the vulnerability means that it is a highly attractive target for attackers. Proactive patching is the most effective way to prevent a potential compromise.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. A...
Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to by...
Executive Summary:
A critical misconfiguration vulnerability has been identified in Adobe Experience Manager (AEM), assigned a maximum CVSS severity score of 10. This flaw allows an unauthenticated attacker to execute arbitrary code on the server, potentially leading to a complete system compromise. Organizations must take immediate action to patch affected systems to prevent data theft, service disruption, and further network intrusion.
Vulnerability Details
CVE-ID: CVE-2025-54253
Affected Software: Adobe Experience Manager
Affected Versions: 6.5.23 and earlier
Vulnerability:
The vulnerability stems from a default or insecure configuration within the Adobe Experience Manager platform. An attacker can exploit this misconfiguration, likely related to an exposed OSGi console or an improperly secured JCR (Java Content Repository) path, to upload and deploy a malicious code package or OSGi bundle. Once the malicious code is deployed, it executes with the privileges of the AEM service account, granting the attacker full control over the application server and underlying operating system.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 10, representing the highest possible risk. Successful exploitation would grant an attacker complete control over the AEM server, leading to severe business consequences. These include the theft of sensitive data stored or managed by AEM (e.g., customer data, proprietary information), website defacement, complete service disruption, and significant reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network, escalating the security incident.
Remediation Plan
Immediate Action:
Immediately apply the security updates provided by Adobe to upgrade all AEM instances to a version higher than 6.5.23. Before and after patching, closely monitor for any signs of active exploitation. Review access logs, audit logs, and OSGi bundle configurations for any unauthorized changes or suspicious activity occurring prior to the patch deployment.
Proactive Monitoring:
Implement enhanced monitoring to detect potential exploitation attempts.
/system/console. Look for logs indicating new package installations or OSGi bundle state changes (install, start).crx-quickstart/launchpad/felix directory, for unauthorized file creation or modification.Compensating Controls:
If immediate patching is not feasible, implement the following controls to reduce risk:
/system/console, /crx/de). These should never be exposed to the public internet.Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of Aug 5, 2025, there is no known public proof-of-concept exploit code for this vulnerability. However, due to the critical CVSS score of 10 and the nature of misconfiguration vulnerabilities, it is highly likely that threat actors will develop and deploy exploits rapidly. Organizations should operate under the assumption that exploitation is imminent.
Analyst Recommendation
Given the critical severity (CVSS 10) and the potential for complete system compromise, this vulnerability poses an extreme risk to the organization. The highest priority is to apply the vendor-provided patches to all affected Adobe Experience Manager instances without delay. While this CVE is not currently on the CISA KEV list, its characteristics make it a strong candidate for future inclusion. All remediation and monitoring actions should be treated with the utmost urgency to prevent a potentially catastrophic security breach.
Update Adobe Experience Manager versions Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Deadline: November 4, 2025
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Adobe Experience Manager versions 6
Adobe Experience Manager versions 6
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Substance3D - Viewer versions 0
Substance3D - Viewer versions 0
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Substance3D - Viewer versions 0
Substance3D - Viewer versions 0
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Substance3D - Viewer versions 0
Substance3D - Viewer versions 0
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Premiere Pro versions 25
Premiere Pro versions 25
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vul...
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this t...
Executive Summary:
A critical vulnerability has been discovered in multiple versions of Adobe Commerce that could allow an unauthenticated remote attacker to take complete control of an affected e-commerce site. This flaw, rooted in improper input validation, could lead to severe business consequences, including the theft of sensitive customer data, financial fraud, and significant reputational damage. Immediate patching is required to mitigate this high-risk threat.
Vulnerability Details
CVE-ID: CVE-2025-54236
Affected Software: Adobe Commerce versions Multiple Products
Affected Versions: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier versions.
Vulnerability: The vulnerability is classified as Improper Input Validation. A remote, unauthenticated attacker can send a specially crafted request to a publicly accessible application endpoint. The application fails to properly sanitize the input data within this request before passing it to a backend component, which could lead to arbitrary code execution on the server. An attacker does not need any prior authentication or user interaction to exploit this flaw, making it highly critical and easily weaponized.
Business Impact
This vulnerability is of critical severity with a CVSS score of 9.1. Successful exploitation would grant an attacker full control over the underlying server hosting the Adobe Commerce platform. This could result in the complete compromise of the e-commerce environment, leading to the theft of the entire customer database, including Personally Identifiable Information (PII) and payment card data. Further impacts include financial loss through fraudulent transactions, service disruption, website defacement, and the use of the compromised server to attack other systems, causing severe reputational and legal damage.
Remediation Plan
Immediate Action:
Proactive Monitoring:
Compensating Controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Sep 9, 2025, there are no known public exploits or proof-of-concept (PoC) code available for this vulnerability. However, due to the critical severity and the widespread deployment of Adobe Commerce, it is highly probable that threat actors are actively researching and developing exploit code. The window between disclosure and active exploitation is expected to be very short.
Analyst Recommendation
Given the critical CVSS score of 9.1 and the potential for a remote, unauthenticated attacker to achieve full system compromise, this vulnerability represents a severe and immediate threat to the organization. We strongly recommend that all affected Adobe Commerce instances be patched immediately, without delay. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion. Organizations should treat this vulnerability with the highest priority and assume active exploitation is imminent.
Update Adobe Commerce versions Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Deadline: November 13, 2025
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1
Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1
Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1
Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1
Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1
The Sante PACS Server Web Portal sends credential information without encryption
The Sante PACS Server Web Portal sends credential information without encryption
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL...
The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme This vulnerability affects Firefox for iOS...
Executive Summary:
A critical vulnerability has been identified in the QR scanner component of Firefox for iOS. An attacker can craft a malicious QR code that, when scanned by a user, automatically opens an arbitrary and potentially malicious website without proper user validation. Successful exploitation could lead to sophisticated phishing attacks, credential theft, or malware distribution, posing a significant risk to user data and corporate security.
Vulnerability Details
CVE-ID: CVE-2025-54145
Affected Software: The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability exists within the QR scanner functionality of Firefox for iOS due to improper handling of a specific "open-text URL scheme." An attacker can embed a specially crafted URL within a QR code. When a victim scans this malicious QR code, the vulnerable application fails to correctly parse or sanitize the URL, causing it to bypass security warnings and automatically navigate the browser to a destination controlled by the attacker. The exploit relies on social engineering to persuade a user to scan the QR code.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.1, reflecting the potential for significant damage with minimal user interaction post-scan. Exploitation can directly lead to targeted phishing campaigns against employees, resulting in the theft of corporate credentials, financial information, or other sensitive data. Further risks include the distribution of malware or spyware to mobile devices, potentially leading to a wider network compromise, data breaches, and reputational damage for the organization.
Remediation Plan
Immediate Action: Update The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Proactive Monitoring: Security teams should monitor for signs of exploitation, including unusual outbound traffic from mobile devices to uncategorized or known malicious domains. Review logs from Mobile Device Management (MDM) and web filtering solutions for suspicious URL access patterns originating from Firefox for iOS. Monitor for an increase in user-reported phishing attempts.
Compensating Controls: If immediate patching is not feasible, implement user awareness training focused on the dangers of scanning QR codes from untrusted or unknown sources. Employ network-level security controls, such as DNS filtering and secure web gateways, to block access to malicious websites as a secondary line of defense.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Aug 19, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability in the wild. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the low complexity of the attack vector means that exploits could be developed easily.
Analyst Recommendation
Given the critical CVSS score of 9.1 and the direct risk of phishing and data compromise, we strongly recommend that organizations prioritize the immediate patching of this vulnerability. All instances of Firefox for iOS on corporate and BYOD devices should be updated to the latest version as soon as possible. Additionally, organizations should issue a security bulletin to all users, advising them to update their application and exercise extreme caution when scanning QR codes.
Update The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page...
Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page This vulnerability affects Firefox for iOS < 141.
Executive Summary:
A critical vulnerability has been identified in Mozilla Firefox for iOS which allows a malicious website to bypass security restrictions and download files directly to a user's device. An attacker could exploit this flaw by tricking a user into visiting a specially crafted webpage, potentially leading to malware infection or the delivery of other harmful content. Due to the high severity, immediate action is required to update all affected browsers.
Vulnerability Details
CVE-ID: CVE-2025-54143
Affected Software: Mozilla Firefox for iOS
Affected Versions: All versions prior to 141
Vulnerability: This vulnerability exists in the way Firefox for iOS handles sandboxed iframes. The 'sandbox' attribute is a security mechanism designed to restrict the actions of embedded content on a webpage, such as preventing automatic downloads. An attacker can create a malicious webpage with a specially crafted iframe that bypasses these sandbox restrictions, allowing it to initiate a file download to the user's device without their consent. Exploitation simply requires a user on a vulnerable device to navigate to the attacker's webpage.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant risk to the organization. Successful exploitation could lead to "drive-by download" attacks, where malware, ransomware, or spyware is installed on corporate or personal iOS devices. This could result in the theft of sensitive corporate data, compromise of user credentials, and an initial foothold for attackers to move laterally across the corporate network. The potential for data breaches and system compromise presents a severe financial and reputational risk.
Remediation Plan
Immediate Action: Update all instances of Mozilla Firefox for iOS to version 141 or later. Prioritize this update for all managed corporate and BYOD devices to eliminate the vulnerability. Ensure mobile device management (MDM) policies enforce the deployment of this update immediately.
Proactive Monitoring: Security teams should monitor for signs of exploitation. This includes reviewing web proxy and firewall logs for unusual file downloads originating from iOS devices, particularly from untrusted websites. Utilize Mobile Threat Defense (MTD) or EDR solutions to detect suspicious file creation or anomalous behavior originating from the Firefox for iOS application.
Compensating Controls: If immediate patching is not feasible, implement the following controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Aug 19, 2025, there are no known public exploits or reports of this vulnerability being actively exploited in the wild. However, given the critical CVSS score and the straightforward attack vector, it is highly probable that threat actors will develop and deploy exploits. Organizations should assume an attack is imminent and act accordingly.
Analyst Recommendation
Given the critical severity of this vulnerability (CVSS 9.8), organizations must treat its remediation as the highest priority. The risk of a remote, unauthenticated attacker delivering a malicious payload through a common web browser is exceptionally high. Although this CVE is not currently on the CISA KEV list, its potential impact warrants immediate action. We strongly recommend identifying all vulnerable instances of Firefox for iOS within the environment and updating them to a patched version without delay.
Update Sandboxed iframes on webpages could potentially allow downloads to the Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
ViewVC is a browser interface for CVS and Subversion version control repositories
ViewVC is a browser interface for CVS and Subversion version control repositories
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
pyLoad is a free and open-source Download Manager written in pure Python
pyLoad is a free and open-source Download Manager written in pure Python
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating syst...
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems
Executive Summary:
A high-severity vulnerability has been discovered in LibreNMS, a widely used network monitoring platform. This flaw could allow an unauthenticated remote attacker to gain unauthorized access to sensitive information stored within the system, such as device credentials and network configurations. Successful exploitation could lead to a broader compromise of the monitored network infrastructure, posing a significant risk to the organization's security and operational stability.
Vulnerability Details
CVE-ID: CVE-2025-54138
Affected Software: LibreNMS Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is an unauthenticated SQL Injection flaw within the web-based user interface of LibreNMS. An attacker can exploit this by sending a specially crafted HTTP request to a publicly accessible application endpoint. By manipulating a parameter in this request, the attacker can inject malicious SQL queries, bypassing authentication and directly interacting with the backend database to read, modify, or exfiltrate sensitive data, including user credentials, SNMP community strings, and detailed network device information.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have severe consequences for the business. An attacker gaining access to the LibreNMS database could steal credentials for critical network infrastructure like routers, switches, and firewalls. This access could be leveraged to pivot deeper into the corporate network, conduct espionage, disrupt network services, or deploy ransomware. The exposure of network topology and configuration data also presents a significant security risk, providing attackers with a detailed map of the organization's digital assets.
Remediation Plan
Immediate Action: Apply the security updates provided by the LibreNMS vendor immediately across all affected instances. After patching, conduct a thorough review of web server and application access logs, searching for any indicators of compromise or exploitation attempts that may have occurred prior to the update.
Proactive Monitoring: System administrators should actively monitor web server logs for suspicious requests containing SQL keywords (e.g., SELECT, UNION, '--, OR 1=1) in URL parameters. Monitor for unusual outbound network traffic from the LibreNMS server, which could indicate data exfiltration. Set up alerts for repeated failed login attempts on network devices using credentials known to be stored in LibreNMS.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL injection attacks. Additionally, restrict network access to the LibreNMS web interface to only trusted IP addresses or require access via a secure VPN connection to limit the attack surface.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of July 23, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, given the high severity and the critical function of LibreNMS, security researchers and threat actors are highly likely to develop exploit code in the near future. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Due to the high-impact nature of this vulnerability, we strongly recommend that organizations treat this as a critical priority. The potential for an unauthenticated attacker to compromise an entire network environment by targeting the central monitoring system cannot be overstated. All instances of LibreNMS should be patched immediately. If patching is delayed for any reason, the compensating controls outlined above must be implemented as an urgent interim measure to mitigate the immediate risk.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend
HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Cursor is a code editor built for programming with AI
Cursor is a code editor built for programming with AI
Cursor is a code editor built for programming with AI
Cursor is a code editor built for programming with AI
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Cursor is a code editor built for programming with AI
Cursor is a code editor built for programming with AI
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command inject...
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware`...
---METADATA---
VENDOR: Hoverfly
PRODUCT: Hoverfly
AFFECTED_VERSIONS: 1.11.3 and prior
CONFIDENCE: high
MISSING: patch
---END_METADATA---
Description Summary:
Hoverfly contains a command injection vulnerability in its middleware functionality at the /api/v2/hoverfly/middleware endpoint, allowing unauthorized remote code execution.
Executive Summary:
A critical command injection vulnerability in Hoverfly versions 1.11.3 and prior allows unauthenticated attackers to execute arbitrary system commands.
Vulnerability Details
CVE-ID: CVE-2025-54123
Affected Software: Hoverfly
Affected Versions: 1.11.3 and prior
Vulnerability: This vulnerability involves improper input validation within the middleware configuration API. An unauthenticated attacker can supply malicious payloads to the command execution interface, resulting in full system compromise.
Business Impact
The CVSS score of 9.8 reflects the high risk of this vulnerability, which grants attackers full control over the underlying host operating system. Successful exploitation could result in total data exfiltration, service disruption, and lateral movement within the network, posing a severe threat to business continuity.
Remediation Plan
Immediate Action: Upgrade to the latest available version of Hoverfly that addresses this command injection flaw.
Proactive Monitoring: Inspect server access logs for anomalous requests directed at the /api/v2/hoverfly/middleware endpoint and monitor system processes for unexpected child spawns.
Compensating Controls: Implement strict network segmentation and apply WAF rules to block malicious input patterns targeting the middleware API until the software can be patched.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Sep 10, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the critical severity of this command injection vulnerability, immediate patching is required to prevent unauthorized system access. Organizations should prioritize updating all instances of Hoverfly to the latest version to mitigate the risk of remote code execution.
Update Hoverfly is an open source API simulation Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified i...
Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desk...
Executive Summary:
A critical vulnerability has been discovered in Manager.io accounting software, rated with the highest possible severity score. An unauthenticated attacker can exploit this flaw remotely to force the server to access internal network resources or sensitive cloud services, potentially leading to a full compromise of sensitive financial data and the internal corporate network.
Vulnerability Details
CVE-ID: CVE-2025-54122
Affected Software: Manager-io/Manager
Affected Versions: See vendor advisory for specific affected versions.
Vulnerability: The vulnerability is a Server-Side Request Forgery (SSRF) within the proxy handler component of the software. An unauthenticated attacker can craft a malicious request to the application, tricking the server into making a web request on their behalf to an arbitrary destination. This allows the attacker to bypass firewalls and access internal, non-public services, scan the internal network for open ports, or interact with cloud provider metadata services (like AWS IMDS) to steal access credentials.
Business Impact
This vulnerability is of critical severity with a CVSS score of 10, indicating the highest possible risk. Successful exploitation could lead to catastrophic business consequences, including the unauthorized disclosure of highly sensitive financial data, customer records, and proprietary business information managed by the accounting software. An attacker could leverage this access to pivot deeper into the corporate network, leading to a wider system compromise, significant financial loss, severe reputational damage, and potential regulatory penalties.
Remediation Plan
Immediate Action: Update all instances of Manager.io accounting software to the latest patched version immediately as recommended by the vendor. After patching, it is crucial to monitor for any signs of post-remediation exploitation attempts and thoroughly review historical access logs for indicators of compromise prior to the patch.
Proactive Monitoring: Security teams should monitor web server and application logs for unusual outbound requests originating from the Manager server. Specifically, look for requests targeting internal IP address ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.1), or cloud metadata endpoints (e.g., 169.254.169.254).
Compensating Controls: If immediate patching is not feasible, implement strict egress filtering at the network firewall to block the server from initiating connections to internal resources and non-essential external destinations. Deploying a Web Application Firewall (WAF) with rules specifically designed to detect and block SSRF attack patterns can also serve as an effective temporary mitigation.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Jul 21, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical CVSS score of 10 and the unauthenticated nature of the flaw, security researchers and threat actors are highly likely to develop and release exploit code in the near future.
Analyst Recommendation
Given the critical severity (CVSS 10) of this vulnerability, immediate action is required. Organizations must treat the remediation of CVE-2025-54122 as their highest security priority. Although this vulnerability is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion. We strongly recommend applying the vendor-supplied patches across all affected systems without delay. If patching is not immediately possible, implement the compensating controls outlined above and escalate monitoring efforts to detect any potential exploitation attempts.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper...
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attack...
Executive Summary:
A critical vulnerability has been identified in the ADOdb PHP database abstraction library, a component used by numerous web applications. This flaw, designated with the highest possible severity score, could allow a remote, unauthenticated attacker to inject malicious commands into the database. Successful exploitation could lead to a complete compromise of the application's data and the underlying server, resulting in significant data breaches and system downtime.
Vulnerability Details
CVE-ID: CVE-2025-54119
Affected Software: ADOdb PHP database abstraction library
Affected Versions: 5.22.9 and below
Vulnerability: The vulnerability is a critical SQL Injection flaw resulting from the improper escaping of user-supplied input used in database queries. A remote, unauthenticated attacker can craft a special input string that, when processed by a vulnerable application using the ADOdb library, is interpreted as a direct SQL command. This allows the attacker to bypass application logic and execute arbitrary commands on the database, potentially leading to data exfiltration, modification, deletion, and, depending on database permissions, remote code execution on the host server.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 10.0, representing the highest possible risk. Exploitation could have catastrophic consequences for the organization, including the theft of sensitive data such as customer PII, financial records, and intellectual property. An attacker could also manipulate or destroy critical data, causing severe operational disruption and reputational damage. The potential for full server compromise means an attacker could use the affected system as a pivot point to launch further attacks against the internal network.
Remediation Plan
Immediate Action: Update all instances of the ADOdb library to the latest version (above 5.22.9) as recommended by the vendor. This is the most effective way to remediate the vulnerability. All development and production environments using this library must be inventoried and patched immediately, with a priority on public-facing applications.
Proactive Monitoring: Closely monitor web server and database access logs for signs of exploitation attempts. Look for suspicious requests containing SQL keywords (e.g., UNION, SELECT, --, SLEEP), stacked queries, or unusual character encodings in URL parameters and POST data. Implement alerts for anomalous database query patterns or errors that could indicate a failed or successful injection attempt.
Compensating Controls: If patching cannot be immediately deployed, implement a Web Application Firewall (WAF) with strict SQL injection detection and prevention rules. Ensure database user accounts used by web applications operate with the principle of least privilege, restricting their ability to modify the database schema or access the underlying file system, which can limit the impact of a successful exploit.
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of Aug 5, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical CVSS score of 10.0 and the ease of exploitation for this type of flaw, it is highly probable that proof-of-concept (PoC) code and active scanning will emerge within days. Organizations should assume imminent exploitation.
Analyst Recommendation
This vulnerability represents a grave and immediate threat to the organization. Given the critical severity (CVSS 10.0) and the potential for complete system compromise, immediate remediation is required. Although CVE-2025-54119 is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. We strongly recommend treating this as an emergency and initiating immediate patching procedures across all systems using the affected ADOdb library.
Update ADOdb is a PHP database class library that provides abstractions for performing queries and managing Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2...
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authenticated attackers to inject...
Executive Summary:
A critical cross-site scripting (XSS) vulnerability has been identified in the NamelessMC website software. This flaw allows an authenticated attacker to inject malicious code into web pages, which can then execute in the browsers of other users, potentially leading to account compromise, data theft, and unauthorized administrative actions.
Vulnerability Details
CVE-ID: CVE-2025-54117
Affected Software: NamelessMC
Affected Versions: All versions prior to 2.2.3
Vulnerability: The vulnerability is a persistent Cross-Site Scripting (XSS) flaw. An authenticated attacker can inject malicious scripts (e.g., JavaScript) into content fields that are stored by the application and later rendered to other users. When a victim, particularly an administrator, views the compromised page, the malicious script executes within their browser, allowing the attacker to bypass security controls, steal session cookies, impersonate the user, or perform actions on their behalf.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9. Successful exploitation could lead to a complete compromise of the NamelessMC website. An attacker could take over administrator accounts, deface the website, steal sensitive user data (including credentials or personal information), or use the trusted website to distribute malware to its user base. This poses a significant risk to data integrity, confidentiality, and organizational reputation.
Remediation Plan
Immediate Action: Immediately update all instances of NamelessMC to version 2.2.3 or the latest available version to patch the vulnerability. After updating, it is crucial to review access logs and audit logs for any signs of suspicious activity or unauthorized administrative changes that may have occurred prior to the patch.
Proactive Monitoring: Implement continuous monitoring of application and web server logs. Look for suspicious input containing HTML tags, script tags (<script>, <img>, <a>), or JavaScript event handlers (e.g., onerror, onload) in user-submitted data. Monitor for unusual outbound network traffic from the web server, which could indicate data exfiltration.
Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a strict ruleset designed to detect and block common XSS attack payloads. Additionally, review and strengthen the website's Content Security Policy (CSP) to restrict the execution of inline scripts and limit the domains from which scripts can be loaded.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date of Aug 18, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, due to the ease of exploitation for authenticated users, the risk of future exploitation is high.
Analyst Recommendation
Given the critical CVSS score of 9, it is strongly recommended that organizations using affected versions of NamelessMC prioritize the deployment of the security update immediately. Although the vulnerability requires an attacker to be authenticated, the potential impact of a successful exploit—such as full administrative compromise—is severe. Organizations should treat this as an urgent threat and apply the vendor-supplied patch without delay.
Update NamelessMC is a Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
Executive Summary:
A critical vulnerability exists in the Windows Routing and Remote Access Service (RRAS) that could allow an unauthenticated attacker to take full control of an affected system over the network. This heap-based buffer overflow flaw enables remote code execution, posing a significant risk of data breach, system compromise, and further network intrusion. Organizations are urged to apply security updates immediately to mitigate this high-severity threat.
Vulnerability Details
CVE-ID: CVE-2025-54113
Affected Software: Windows Routing and Remote Access Service (RRAS)
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability is a heap-based buffer overflow within the Windows Routing and Remote Access Service (RRAS). An unauthenticated attacker can exploit this flaw by sending a specially crafted network packet to a server running the vulnerable RRAS service. Successful exploitation overwrites memory structures on the heap, leading to arbitrary code execution with the privileges of the RRAS service, which typically runs with high-level system permissions.
Business Impact
This vulnerability is classified as a High severity with a CVSS score of 8.8. A successful exploit could have severe consequences for the business, allowing an attacker to achieve a complete system compromise. The potential impacts include the theft of sensitive data, deployment of ransomware, disruption of critical network services like VPN access, and using the compromised server as a foothold to launch further attacks against the internal network. Given that RRAS is often deployed on internet-facing servers, this vulnerability represents a critical risk to the network perimeter.
Remediation Plan
Immediate Action: Apply vendor security updates immediately across all affected systems. After patching, monitor for any post-patch exploitation attempts and review system and network access logs for any indicators of compromise that may have occurred prior to remediation.
Proactive Monitoring: Implement enhanced monitoring for RRAS servers. Look for crashes in the RRAS service (svchost.exe hosting RemoteAccess) within Windows Event Logs. Monitor network traffic for unusual or malformed packets directed at RRAS ports and configure IDS/IPS systems with relevant signatures once they become available.
Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the attack surface. Use a firewall or network access control lists (ACLs) to strictly limit network access to the RRAS service to only trusted IP addresses. If the service is not business-critical, consider disabling it entirely until a patch can be applied.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of September 9, 2025, there are no known public exploits for this vulnerability. However, given the high severity and the unauthenticated, remote nature of the flaw, it is highly probable that threat actors will actively work to develop exploit code. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the critical CVSS score of 8.8 and the potential for complete system compromise, organizations must treat this vulnerability with the highest priority. The primary recommendation is to apply the vendor-supplied security patches without delay, especially on internet-facing servers. Although not yet listed in the CISA KEV catalog, its characteristics make it an attractive target for exploitation. If patching is delayed, the compensating controls outlined above should be implemented immediately to mitigate risk.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Use after free in Windows UI XAML Phone DatePickerFlyout allows an authorized attacker to elevate privileges locally
Use after free in Windows UI XAML Phone DatePickerFlyout allows an authorized attacker to elevate privileges locally
Executive Summary:
A high-severity vulnerability, identified as CVE-2025-54111, has been discovered in multiple products from the vendor Use. This flaw is a "Use After Free" memory corruption issue that, if exploited, allows an attacker who already has access to a system to elevate their privileges, potentially gaining full administrative control over the affected machine.
Vulnerability Details
CVE-ID: CVE-2025-54111
Affected Software: Use Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability is a Use-After-Free condition within the Windows UI XAML Phone DatePickerFlyout component. A Use-After-Free flaw occurs when an application attempts to access a memory location after it has been deallocated, which can lead to unpredictable behavior, including crashes or arbitrary code execution. To exploit this, an attacker with existing local, low-privilege access would need to run a specially crafted application that interacts with the DatePickerFlyout UI element in a way that triggers the memory corruption. By carefully manipulating the system's memory state following the initial error, the attacker could execute arbitrary code with SYSTEM-level privileges.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the affected system. An attacker with standard user access could leverage this flaw to gain administrative control, allowing them to install malicious software such as ransomware or spyware, exfiltrate sensitive corporate data, disable security controls, and use the compromised machine as a staging point for further attacks across the network. The primary risk is the loss of confidentiality, integrity, and availability on any workstation or server where an attacker can gain an initial foothold.
Remediation Plan
Immediate Action: Apply the security updates provided by the vendor across all affected systems immediately. Prioritize patching on critical systems, such as servers and workstations used by privileged users. After patching, continue to monitor for any exploitation attempts and review system and application access logs for anomalous activity.
Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes looking for unexpected crashes related to UI processes, suspicious process creation where a user-level process spawns a child process with elevated (SYSTEM) privileges, and alerts from Endpoint Detection and Response (EDR) solutions that detect memory corruption exploitation techniques.
Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce risk. Enforce the principle of least privilege to limit the capabilities of user accounts. Utilize application control or whitelisting solutions to prevent the execution of unauthorized code, which would block an attacker's payload. Ensure EDR tools are properly configured to detect and block common privilege escalation methods.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of September 9, 2025, there are no known public exploits for this vulnerability, and it is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, privilege escalation vulnerabilities are highly sought after by threat actors. It is likely that proof-of-concept exploit code will be developed by security researchers and malicious actors in the near future.
Analyst Recommendation
Due to the high severity (CVSS 7.8) and the potential for a full system compromise, it is strongly recommended that organizations apply the vendor's security updates to all affected systems as a matter of priority. While this vulnerability is not yet known to be exploited in the wild, its nature as a local privilege escalation makes it a critical link in an attack chain for any adversary that has already gained initial access to a device. Patching should be treated as an urgent priority to prevent attackers from elevating their access and achieving objectives such as data theft or ransomware deployment.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally
Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
Executive Summary:
A critical integer overflow vulnerability has been identified in the Windows Routing and Remote Access Service (RRAS). This flaw allows an unauthenticated attacker to remotely execute arbitrary code on an affected server, potentially leading to a full system compromise, data theft, and further network intrusion.
Vulnerability Details
CVE-ID: CVE-2025-54106
Affected Software: Microsoft Windows Routing and Remote Access Service (RRAS)
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability is an integer overflow or wraparound condition within the RRAS component. An unauthenticated attacker can exploit this by sending a specially crafted network packet to a vulnerable RRAS server. When the server processes this packet, a specific integer value used for a memory operation (like calculating a buffer size) can exceed its maximum limit and "wrap around" to a very small number, leading to a memory allocation that is much smaller than expected. This results in a heap-based buffer overflow, which can be leveraged by the attacker to overwrite adjacent memory and execute arbitrary code with the privileges of the RRAS service, which are typically at the SYSTEM level.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could have a severe impact on the organization. An attacker gaining remote code execution on an RRAS server, which is often an internet-facing and critical network infrastructure component, can lead to a complete compromise of that system. Potential consequences include the exfiltration of sensitive data, deployment of ransomware, disruption of network services, and the ability for the attacker to use the compromised server as a pivot point to move laterally across the internal network, escalating the breach significantly.
Remediation Plan
Immediate Action: The primary and most effective remediation is to apply the security updates released by the vendor immediately across all affected systems. After patching, review system and RRAS access logs for any signs of exploitation attempts that may have occurred prior to the update.
Proactive Monitoring: Implement enhanced monitoring for RRAS servers. Security teams should look for:
Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of September 9, 2025, there are no known public proof-of-concept exploits or observed active exploitation in the wild. However, due to the vulnerability's high severity, remote nature, and lack of authentication requirement, it is highly probable that threat actors will develop exploits for this vulnerability in the near future.
Analyst Recommendation
This vulnerability presents a significant risk to the organization and requires immediate attention. Given the high CVSS score of 8.8 and the potential for complete system compromise by an unauthenticated attacker, all affected RRAS servers must be patched on an emergency basis. While this CVE is not currently on the CISA KEV list, its characteristics make it a strong candidate for future inclusion. If patching cannot be performed immediately, the compensating controls, particularly restricting network access to the service, should be implemented as a top priority to mitigate the immediate threat.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally
Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally
Executive Summary:
A high-severity vulnerability exists within the Windows Connected Devices Platform Service, which could impact multiple products from the vendor "Use". An attacker who already has standard user access to a system can exploit this flaw to gain full administrative privileges. Successful exploitation would allow the attacker to take complete control of the affected machine, leading to potential data theft, malware installation, and further network intrusion.
Vulnerability Details
CVE-ID: CVE-2025-54102
Affected Software: Use Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability is a "use-after-free" memory corruption flaw in the Windows Connected Devices Platform Service (cdpsvc). An authenticated attacker with local access can send specially crafted data to this service, causing it to incorrectly handle memory that has already been deallocated. By manipulating this memory corruption, the attacker can execute arbitrary code with the elevated permissions of the cdpsvc service, which typically runs with SYSTEM-level privileges, resulting in a full local privilege escalation.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation allows an attacker to escalate from a low-privilege user to a system administrator, completely compromising the confidentiality, integrity, and availability of the affected endpoint. A compromised system can be used to install persistent backdoors, deploy ransomware, exfiltrate sensitive data, disable security controls, and serve as a pivot point to move laterally across the corporate network, significantly increasing the risk of a widespread security breach.
Remediation Plan
Immediate Action: Identify all vulnerable systems and apply the security updates provided by the vendor immediately. Prioritize patching for critical systems, including servers and workstations with access to sensitive information. After patching, monitor for any signs of exploitation attempts by reviewing system and security logs for anomalous activity related to the Connected Devices Platform Service.
Proactive Monitoring: Configure security monitoring tools to detect potential exploitation. Look for crashes or unexpected restarts of the cdpsvc service in Windows Event Logs (System log). Monitor for suspicious child processes spawned by svchost.exe hosting the cdpsvc service. Endpoint Detection and Response (EDR) solutions should be tuned to detect memory exploitation techniques and unauthorized privilege escalation events (e.g., Windows Event ID 4672).
Compensating Controls: If immediate patching is not feasible, consider disabling the "Connected Devices Platform Service" on systems where its functionality (e.g., "Nearby Sharing," "Project to this PC") is not required. This action removes the attack surface but should be tested thoroughly to avoid disrupting business operations. Enforce the principle of least privilege for all user accounts to limit the initial access an attacker might have.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of September 9, 2025, there is no known public proof-of-concept exploit code available for this vulnerability. However, local privilege escalation vulnerabilities are highly sought after by threat actors to gain full control over a compromised host during post-exploitation phases of an attack. It is likely that threat actors will develop exploits for this vulnerability.
Analyst Recommendation
Given the high CVSS score of 7.8 and the critical impact of a successful privilege escalation attack, we strongly recommend that organizations prioritize the immediate patching of this vulnerability. While CVE-2025-54102 is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its nature makes it a prime target for future exploitation. Organizations should treat this as an urgent threat and expedite remediation efforts to prevent potential system compromise.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute c...
Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally
Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevat...
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Integer overflow or wraparound in Windows Hyper-V allows an authorized attacker to elevate privileges locally
Integer overflow or wraparound in Windows Hyper-V allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Thermo Fisher
PRODUCT: Ion Torrent OneTouch 2
AFFECTED_VERSIONS: INS1005527
CONFIDENCE: high
MISSING: patch, exploit_status
---END_METADATA---
Description Summary:
Unsupported Thermo Fisher Ion Torrent OneTouch 2 devices expose an X11 display server on all interfaces, allowing remote code execution and root privilege escalation.
Executive Summary:
Unsupported Thermo Fisher Ion Torrent OneTouch 2 devices are vulnerable to remote code execution due to an insecurely configured, publicly accessible X11 display server.
Vulnerability Details
CVE-ID: CVE-2025-54304
Affected Software: Thermo Fisher Ion Torrent OneTouch 2
Affected Versions: INS1005527
Vulnerability: The X11 display server, which starts automatically upon device power-on, is incorrectly configured to listen on all network interfaces. This exposure allows unauthenticated network-adjacent attackers to interact with the display, spawn terminals, and obtain root-level access.
Business Impact
With a CVSS score of 9.8, this vulnerability poses a severe threat to the integrity and confidentiality of the affected devices. As these are laboratory instruments, unauthorized access could lead to data manipulation or exfiltration; furthermore, the lack of vendor support makes the risk of persistent, unpatchable exploitation extremely high.
Remediation Plan
Immediate Action: Isolate affected devices from public or untrusted networks immediately to prevent unauthorized access to the X11 display.
Proactive Monitoring: Monitor network traffic for connections to port 6000 on laboratory devices and alert on any unexpected X11 protocol activity.
Compensating Controls: Place devices behind a strict firewall or within an isolated VLAN with no external access, effectively "air-gapping" the vulnerable service.
Exploitation Status
Public Exploit Available: Not specified
Analyst Notes: As of Dec 4, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Because the product is no longer supported, a formal patch may not be available. Organizations must treat these devices as inherently insecure and enforce strict network segmentation to prevent remote access, as this is the only viable method to mitigate the risk.