Executive Summary:
A critical vulnerability has been discovered in the PubNet self-hosted Dart & Flutter package service. This flaw allows an unauthenticated attacker to upload software packages while impersonating any legitimate user, creating a significant risk of a supply chain attack. Successful exploitation could lead to widespread system compromise for any downstream users who download and install the malicious packages.

Vulnerability Details

CVE-ID: CVE-2025-65112

Affected Software: PubNet is a Multiple Products

Affected Versions: All versions prior to 1.1.3

Vulnerability: The vulnerability exists within the /api/storage/upload API endpoint, which fails to perform proper authentication and authorization checks. An unauthenticated attacker can craft a request to this endpoint to upload a new package and include an arbitrary author-id value in the request. The application incorrectly trusts this user-supplied value, associating the uploaded package with the specified author without verifying the identity of the person making the request. This allows an attacker to impersonate any user on the system, including administrators or highly trusted developers, and publish malicious code under their name.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.4, reflecting the high potential for widespread damage. Exploitation can lead to a severe supply chain attack, where attackers replace legitimate software packages with malicious versions containing backdoors, ransomware, or data exfiltration malware. If an organization relies on this internal PubNet instance for software development, all projects and systems that consume a compromised package could be breached, leading to significant data loss, financial damage, operational disruption, and severe reputational harm.

Remediation Plan

Immediate Action: Immediately update all instances of PubNet to version 1.1.3 or later, as this version contains the patch for the vulnerability. After patching, review server access logs for any suspicious POST requests to the /api/storage/upload endpoint originating from unknown IP addresses to identify potential past exploitation.

Proactive Monitoring: Implement continuous monitoring of application and web server logs. Specifically, create alerts for any unauthenticated requests to the /api/storage/upload endpoint. Monitor for unusual package upload patterns, such as a developer publishing a package from an unrecognized IP address or at an unusual time.

Compensating Controls: If immediate patching is not feasible, restrict network access to the /api/storage/upload endpoint to only trusted, internal IP addresses or require users to connect via a VPN. Implementing a Web Application Firewall (WAF) with a specific rule to block unauthenticated access to this endpoint can also serve as a temporary mitigating control.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Nov 29, 2025, there are no known public exploits or reports of this vulnerability being actively exploited in the wild. However, due to the simplicity of exploitation and the high impact, it is highly likely that threat actors will develop and deploy exploits quickly. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

Analyst Recommendation
Given the critical CVSS score of 9.4 and the direct threat of a supply chain attack, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that all affected PubNet instances be updated to version 1.1.3 or later with the highest priority. Additionally, a thorough audit of recently published or updated packages should be conducted to ensure no malicious code was injected prior to applying the patch.

Executive Summary:
A critical remote code execution vulnerability has been identified in the md-to-pdf library, a tool used for converting Markdown files to PDFs. An attacker can exploit this vulnerability by crafting a special Markdown file which, when processed, executes malicious code on the server, potentially leading to a full system compromise. Organizations using any product that incorporates this library must take immediate action to prevent unauthorized access and data breaches.

Vulnerability Details

CVE-ID: CVE-2025-65108

Affected Software: Unknown Multiple Products (underlying library: md-to-pdf)

Affected Versions: md-to-pdf library versions prior to 5.2.5. See vendor advisories for specific product versions.

Vulnerability: The vulnerability exists in the way the md-to-pdf library processes Markdown front-matter using its gray-matter dependency. An attacker can craft a Markdown file with a specially formatted front-matter block containing JavaScript delimiters and arbitrary code. When the vulnerable application attempts to convert this malicious file to a PDF, the JavaScript engine within the gray-matter library is tricked into executing the embedded code with the full permissions of the converter process, resulting in unauthenticated remote code execution (RCE) on the host system.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 10.0, reflecting the highest possible risk. Successful exploitation could lead to a complete compromise of the affected server's confidentiality, integrity, and availability. An attacker could steal sensitive data, install ransomware, deploy persistent backdoors, manipulate critical information, or use the compromised system as a pivot point to attack other internal network resources. The potential business impact includes major data breaches, significant financial loss, operational disruption, and severe reputational damage.

Remediation Plan

Immediate Action: Immediately update all instances of affected products to the latest patched versions as recommended by the respective vendors. The vulnerability is patched in md-to-pdf version 5.2.5 and later. Following the update, monitor systems for any signs of exploitation and thoroughly review access and application logs for suspicious activity that occurred prior to patching.

Proactive Monitoring:

• Monitor for unusual child processes being spawned by Node.js or any process associated with the Markdown conversion service.
• Implement file integrity monitoring on application servers to detect unauthorized changes.
• Review application logs for attempts to process Markdown files containing suspicious front-matter, such as those with script tags or unusual delimiters (---js).
• Monitor for unexpected outbound network connections from servers running the conversion tool, as this could indicate a successful compromise.

Compensating Controls:

• Input Sanitization: If immediate patching is not feasible, implement a pre-processing step to scan, validate, and sanitize all uploaded or processed Markdown files, specifically stripping or rejecting any front-matter that contains executable code blocks.
• Sandboxing: Run the file conversion process in a minimal-privilege, isolated sandbox environment (e.g., a Docker container) with restricted file system access and no network connectivity to limit the potential impact of a compromise.
• Network Segmentation: Isolate the server or service performing the conversions from critical corporate networks and sensitive data stores to contain any potential breach.

Exploitation Status

Public Exploit Available: False

Analyst Notes: As of the published date of November 21, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical CVSS score and the straightforward nature of the exploitation vector, it is highly probable that threat actors will develop and weaponize an exploit in the near future. Organizations should assume this vulnerability is an active and imminent threat.

Analyst Recommendation

This vulnerability represents a critical and immediate risk to the organization, allowing for unauthenticated remote code execution via the processing of a single malicious file. Due to its CVSS score of 10.0, immediate patching is the highest priority. All system owners must identify and update affected products without delay. Although this vulnerability is not currently on the CISA KEV list, its severity warrants treating it with the same level of urgency as a known exploited vulnerability.

Executive Summary:
A critical SQL injection vulnerability, rated CVSS 10, has been identified in the XWiki Full Calendar Macro. This flaw allows any user, including unauthenticated guest users, to directly interact with the application's database, enabling them to steal sensitive information or trigger a denial-of-service (DoS) attack. Due to the ease of exploitation and severe potential impact, immediate remediation is required to prevent a full system compromise.

Vulnerability Details

CVE-ID: CVE-2025-65091

Affected Software: XWiki Full Calendar Macro displays objects from the wiki on the Multiple Products

Affected Versions: All versions prior to 2.4.5

Vulnerability: The vulnerability exists within the Calendar.JSONService page of the XWiki Full Calendar Macro. This service fails to properly sanitize user-supplied input before using it to construct a SQL query. An unauthenticated attacker can send a specially crafted request to this page, injecting malicious SQL commands that will be executed by the back-end database. This allows the attacker to bypass all application-level security and gain direct access to the database to read, modify, or delete data, as well as execute commands that could overload the database, causing a denial-of-service condition.

Business Impact

This vulnerability is of critical severity with a CVSS score of 10, posing an extreme risk to the organization. Successful exploitation could lead to a catastrophic data breach, resulting in the exfiltration of all data stored within the XWiki instance, including proprietary documents, user credentials, personally identifiable information (PII), and other confidential data. Furthermore, the ability to trigger a DoS attack could render the XWiki platform completely unavailable, disrupting critical business operations that rely on it. The potential consequences include severe financial loss, regulatory fines for non-compliance (e.g., GDPR), significant reputational damage, and a complete loss of data integrity.

Remediation Plan

Immediate Action: Immediately apply the security patch by following the vendor's recommendation: Update XWiki Full Calendar Macro displays objects from the wiki on the Multiple Products to the latest version (2.4.5 or newer). After patching, monitor for any continued exploitation attempts and review historical access logs for indicators of compromise prior to the update.

Proactive Monitoring:

• Review web server and application logs for requests to the Calendar.JSONService page, specifically searching for suspicious patterns, SQL keywords (SELECT, UNION, ', --), or encoded characters in the request parameters.
• Monitor database logs for unusual or long-running queries originating from the XWiki application's service account.
• Implement alerts for high CPU or memory utilization on the database and web server, which could indicate an ongoing DoS attack.

Compensating Controls:
If immediate patching is not feasible, implement the following controls as a temporary measure:

• Web Application Firewall (WAF): Deploy a WAF with a strict ruleset designed to detect and block SQL injection attack patterns.
• Access Restriction: If possible, configure your web server or a reverse proxy to block all external access to the vulnerable Calendar.JSONService page.
• Database Activity Monitoring (DAM): Use a DAM tool to monitor, alert on, and potentially block anomalous queries against the XWiki database.

Exploitation Status

Public Exploit Available: False

Analyst Notes: As of Jan 10, 2026, there is no known public exploit code available for this vulnerability. However, given the critical CVSS score of 10 and the low complexity of exploiting unauthenticated SQL injection flaws, it is highly probable that a functional proof-of-concept will be developed and released by threat actors in the very near future. The fact that guest users can trigger this vulnerability significantly increases its risk profile.

Analyst Recommendation
This vulnerability represents a clear and present danger to the organization. Given its critical severity (CVSS 10) and the ability for unauthenticated attackers to achieve full database compromise, immediate action is mandatory. All affected instances of the XWiki Full Calendar Macro must be updated to version 2.4.5 or later on an emergency basis. Due to its severity, this vulnerability is a prime candidate for future inclusion in the CISA KEV catalog, and organizations should prioritize its remediation above all other routine patching activities.

Executive Summary:
A critical vulnerability has been identified in the H2O.ai H2O-3 platform, a widely used open-source machine learning tool. This flaw allows a remote, unauthenticated attacker to execute arbitrary code on the server by sending specially crafted data. Successful exploitation could lead to a complete system compromise, enabling attackers to steal sensitive data, disrupt services, or use the compromised system for further attacks.

Vulnerability Details

CVE-ID: CVE-2025-6507

Affected Software: H2O.ai H2O-3

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: This vulnerability is classified as Deserialization of Untrusted Data. The H2O-3 application fails to properly validate and sanitize user-supplied data before it is deserialized. An attacker can construct a malicious object and serialize it into a data stream. When the vulnerable H2O-3 server processes this stream, it deserializes the object, which can trigger a chain of events that leads to the execution of arbitrary commands on the underlying operating system with the privileges of the H2O-3 service account.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a severe and immediate risk to the organization. Exploitation can lead to a complete compromise of the affected server, resulting in significant business consequences. These include the potential for a major data breach involving sensitive corporate data or machine learning models, disruption of critical business operations that rely on the H2O-3 platform, and reputational damage. An attacker could also leverage the compromised server as a pivot point to launch further attacks against the internal network.

Remediation Plan

Immediate Action: The primary remediation is to update all instances of H2O.ai H2O-3 to the latest patched version provided by the vendor. After applying the update, it is essential to monitor for any signs of exploitation and review system and application access logs for any suspicious activity that may have occurred prior to patching.

Proactive Monitoring: Implement enhanced monitoring on systems running H2O-3. Security teams should look for unusual process execution spawned by the H2O-3 service (e.g., sh, cmd.exe, powershell.exe), unexpected outbound network connections, and anomalous file system modifications. Application logs should be reviewed for deserialization errors or malformed input warnings.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Restrict network access to the H2O-3 application to only trusted IP addresses and internal networks.
• Deploy a Web Application Firewall (WAF) with rulesets designed to detect and block common deserialization attack payloads.
• Ensure the H2O-3 service is running with a dedicated, low-privilege user account to limit the impact of a potential compromise.

Exploitation Status

Public Exploit Available: False

Analyst Notes: As of the publication date, September 1, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical severity (CVSS 9.8) and the direct path to Remote Code Execution, it is highly likely that threat actors will prioritize developing a functional exploit. Organizations should operate under the assumption that exploitation is imminent.

Analyst Recommendation

Given the critical CVSS score of 9.8, this vulnerability presents a significant and direct threat to the confidentiality, integrity, and availability of affected systems. The highest priority is the immediate patching of all vulnerable H2O-3 instances. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. We strongly recommend that organizations apply the vendor-supplied updates without delay. If immediate patching is not feasible, the compensating controls outlined above must be implemented to mitigate the risk of a system compromise.

Executive Summary:
A critical vulnerability, identified as CVE-2025-65041, has been discovered in Microsoft Partner Center. This flaw allows an unauthenticated attacker to remotely gain complete administrative control over the platform, potentially compromising all managed customer tenants. Due to its maximum severity rating (CVSS 10.0), this vulnerability poses an immediate and severe risk of widespread data breach and service disruption.

Vulnerability Details

CVE-ID: CVE-2025-65041

Affected Software: Microsoft Partner Center

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The vulnerability is an improper authorization flaw within the Microsoft Partner Center's API. A remote, unauthenticated attacker can send a specially crafted request to a publicly exposed API endpoint. This request exploits a logical error in the access control validation process, causing the system to bypass normal authentication and authorization checks and grant the attacker a session token with high-level administrative privileges. Successful exploitation allows the attacker to achieve full administrative control over the Partner Center and all associated customer tenants managed through it.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 10.0. A successful exploit would have a catastrophic business impact, as an attacker with administrative privileges in the Partner Center could achieve a complete compromise of the organization's cloud services and its customers' environments. Potential consequences include unauthorized access to and exfiltration of sensitive corporate and customer data, modification or deletion of critical production systems, creation of rogue administrator accounts for persistent access, and widespread service disruption. This poses an extreme risk to business operations, customer trust, brand reputation, and regulatory compliance.

Remediation Plan

Immediate Action: Immediately apply the security updates released by Microsoft for Partner Center as detailed in the vendor's security advisory. Prioritize patching all systems and services that interact with the Partner Center API. After patching, verify that the update has been successfully applied and the vulnerability is mitigated.

Proactive Monitoring: Actively monitor for signs of exploitation. Review Azure AD sign-in logs and Partner Center audit logs for anomalous authentication events, unexpected creations of new administrative accounts, or configuration changes originating from unfamiliar IP addresses. Implement enhanced network traffic analysis to detect unusual API requests targeting Partner Center endpoints.

Compensating Controls: If patching cannot be performed immediately, implement strict firewall rules to restrict access to the Partner Center management APIs to a limited set of trusted IP addresses. Temporarily disable any non-essential third-party integrations with Partner Center until the patch can be deployed. Ensure all administrative accounts are configured with multi-factor authentication (MFA) as a general best practice, although it may not prevent the exploitation of this specific vulnerability.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of December 18, 2025, there are no known public proof-of-concept exploits available for this vulnerability. However, given the critical severity (CVSS 10.0) and the high value of the target, it is highly likely that threat actors will rapidly develop and deploy exploits. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

Analyst Recommendation

This vulnerability represents a critical and immediate threat to the organization and its managed customers. Due to the CVSS score of 10.0, which signifies a complete system compromise with minimal effort from an unauthenticated attacker, immediate patching is the highest priority. Organizations must apply the vendor-supplied patches without delay. Until patches are applied, implement the recommended compensating controls and heightened monitoring to detect and respond to potential exploitation attempts.

Executive Summary:
A critical vulnerability, identified as CVE-2025-65037, has been discovered in Microsoft Azure Container Apps. This flaw allows an unauthorized attacker on the internet to inject and execute malicious code, potentially leading to a complete compromise of the affected containerized applications and underlying systems. Due to the critical severity (CVSS 10) and the potential for full system takeover, immediate remediation is strongly advised.

Vulnerability Details

CVE-ID: CVE-2025-65037

Affected Software: Microsoft Azure Container Apps

Affected Versions: See vendor advisory for specific affected versions.

Vulnerability: This vulnerability is an improper control of code generation, commonly known as a code injection flaw. An unauthenticated remote attacker can send specially crafted data over the network to a vulnerable Azure Container App instance. The service fails to properly sanitize this input, allowing the attacker's data to be interpreted and executed as code, leading to remote code execution (RCE) with the privileges of the containerized application. Exploitation requires no user interaction or prior access, making it a highly critical and easily exploitable vulnerability.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 10, representing the highest possible risk. Successful exploitation could lead to a complete compromise of the confidentiality, integrity, and availability of the affected applications and their data. Potential consequences include theft of sensitive data, deployment of ransomware, complete service disruption, and the ability for an attacker to use the compromised environment as a foothold to move laterally within the organization's cloud infrastructure. The business risks include significant financial loss, severe reputational damage, and potential regulatory penalties.

Remediation Plan

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately. All instances of Microsoft Azure Container Apps should be updated to the latest patched version as per the vendor's advisory. Following the update, organizations should actively monitor for any signs of post-patch exploitation attempts and review historical access and application logs for indicators of compromise.

Proactive Monitoring: Implement enhanced monitoring on Azure Container App environments. Security teams should look for unusual outbound network traffic, unexpected processes or commands being executed within containers, anomalous API calls, and suspicious modifications to container configurations. Review application and ingress controller logs for malformed requests or error patterns that could indicate exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. This includes enforcing strict network security policies to limit ingress and egress traffic to only known-good sources and destinations. Deploying a Web Application Firewall (WAF) with rules designed to detect and block code injection patterns can also provide an additional layer of defense.

Exploitation Status

Public Exploit Available: False

Analyst Notes: As of December 18, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, given the critical CVSS score of 10 and the low complexity of a potential attack, it is highly probable that a functional exploit will be developed by threat actors in the near future. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

Analyst Recommendation

Due to the critical nature of CVE-2025-65037, we recommend that organizations treat this as a top-priority security issue. The potential for unauthenticated remote code execution presents a severe risk to the entire cloud environment. The primary course of action must be to apply the vendor-supplied patches across all affected Azure Container Apps instances without delay. While this vulnerability is not yet on the CISA KEV list, its severity makes it a prime candidate for future inclusion and an attractive target for attackers. Organizations must act now to patch, monitor, and secure their environments against this threat.

Executive Summary:
A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Rallly collaboration tool. This flaw allows any authenticated user to finalize polls created by other users, potentially converting them into events without authorization. This can lead to significant disruption of user workflows, compromise data integrity, and impact the availability of the scheduling service.

Vulnerability Details

CVE-ID: CVE-2025-65021

Affected Software: Rallly is an Multiple Products

Affected Versions: All versions prior to 4.5.4

Vulnerability: The vulnerability is an Insecure Direct Object Reference (IDOR) located in the poll finalization function. The application fails to perform an authorization check to verify that the user finalizing a poll is the actual owner of that poll. An attacker with any valid user account can exploit this by intercepting the network request for finalizing their own poll, and then modifying the pollId parameter to match the ID of a victim's poll. Upon sending the manipulated request, the server will process it and finalize the victim's poll, prematurely ending it and converting it into a scheduled event.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have a significant business impact by undermining the core functionality of the scheduling tool. An attacker could prematurely close important polls, create unauthorized events, and prevent legitimate decision-making processes from completing. This leads to a loss of data integrity (incorrect events are created), loss of availability (legitimate polls are closed), and can cause widespread confusion and operational disruption for users relying on the platform for coordination.

Remediation Plan

Immediate Action: Immediately upgrade all instances of Rallly to version 4.5.4 or later, which contains the patch for this vulnerability. Prioritize public-facing and business-critical deployments. After upgrading, review application logs for any signs of past exploitation.

Proactive Monitoring: Security teams should monitor application and web server logs for suspicious activity related to the poll finalization endpoint. Specifically, look for a high volume of finalization requests from a single user account targeting multiple different pollId values. Correlate user session information with poll ownership records to detect instances where a user finalizes a poll they do not own.

Compensating Controls: If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) rule to detect and block requests where a single user session attempts to finalize numerous polls in a short time frame. Restricting access to the application to trusted IP ranges can also temporarily reduce the attack surface until the patch can be applied.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Nov 19, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, IDOR vulnerabilities are typically straightforward to discover and exploit, meaning that attackers could easily develop an exploit method independently.

Analyst Recommendation

Given the critical CVSS score of 9.1 and the low complexity required for exploitation by any authenticated user, we strongly recommend that organizations apply the security update to version 4.5.4 immediately. This vulnerability poses a direct threat to the integrity and availability of the service. Although this CVE is not currently listed on the CISA KEV catalog, its high severity warrants urgent and prioritized remediation to prevent potential disruption.

Executive Summary:
A high-severity vulnerability has been identified in the firmware of 'prior' Smart Video Doorbells. This flaw could allow an unauthenticated remote attacker to gain control of affected devices, potentially leading to a breach of privacy through access to video and audio feeds, or allowing the device to be used as an entry point into the local network.

Vulnerability Details

CVE-ID: CVE-2025-64983

Affected Software: prior Multiple Products

Affected Versions: Smart Video Doorbell firmware versions prior to 2

Vulnerability: The vulnerability exists within the network service responsible for handling video stream requests on the Smart Video Doorbell. A lack of proper input validation allows a remote, unauthenticated attacker to send a specially crafted network packet to the device. This packet can trigger a buffer overflow, enabling the attacker to execute arbitrary code with root privileges on the device, effectively granting them complete control.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8. Exploitation could have significant business impacts, including a severe breach of physical security and privacy if an attacker gains access to live video and audio feeds. The compromised device could also be used as a pivot point to launch further attacks against other devices on the internal network. A successful attack could lead to reputational damage, data breaches, and a loss of customer trust.

Remediation Plan

Immediate Action: The primary remediation is to apply vendor-supplied security updates immediately. All affected 'prior' Smart Video Doorbell devices must be updated to firmware version 2 or newer. Following the update, administrators should monitor for any signs of exploitation attempts by reviewing network and device access logs for anomalous activity.

Proactive Monitoring: Implement enhanced monitoring for network traffic to and from affected doorbell devices. Look for unusual outbound connections, unexpected port scanning originating from the device's IP address, or repeated service crashes indicated in device logs. An Intrusion Detection System (IDS) can be configured with rules to detect potential exploit traffic targeting the vulnerable service.

Compensating Controls: If immediate patching is not feasible, implement network segmentation by placing all Smart Video Doorbells on an isolated VLAN with strict firewall rules. Restrict the device's internet access to only essential vendor-related endpoints required for normal operation. This will limit an attacker's ability to communicate with the device from the internet and prevent a compromised device from accessing sensitive internal network resources.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of November 27, 2025, there are no known public proof-of-concept exploits, and this vulnerability is not being actively exploited in the wild. However, due to the high severity and potential for remote, unauthenticated access, it is highly probable that threat actors will develop an exploit in the near future.

Analyst Recommendation

Given the high severity (CVSS 8) of this vulnerability, immediate action is required. All organizations using the affected 'prior' Smart Video Doorbells must prioritize the deployment of the vendor-provided firmware update. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime target for future exploitation. If patching cannot be performed immediately, implement the recommended compensating controls, such as network segmentation, to reduce the risk of compromise.

Executive Summary:
A high-severity vulnerability has been identified in the Bricks theme for WordPress, a popular website-building tool. This flaw allows an unauthenticated attacker to steal sensitive information directly from the website's database, such as user credentials, customer data, and other private content. Due to the ease of exploitation and the potential for a complete data breach, immediate patching is critical to protect affected websites.

Vulnerability Details

CVE-ID: CVE-2025-6495

Affected Software: Bricks theme for WordPress

Affected Versions: All versions up to, and including, 1

Vulnerability:
The vulnerability is a blind SQL Injection in the Bricks WordPress theme. An unauthenticated remote attacker can exploit this by sending a specially crafted SQL query within the ‘p’ parameter of a web request. Because the injection is "blind," the server does not return database output directly in its response. Instead, the attacker uses time-based or boolean-based techniques to infer the database structure and exfiltrate data one character at a time by observing delays or subtle changes in the server's response. This can ultimately lead to the full extraction of database contents.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to significant business consequences, including the unauthorized disclosure of sensitive data such as customer Personally Identifiable Information (PII), user passwords, and proprietary business information. A successful attack could result in severe reputational damage, loss of customer trust, regulatory fines (e.g., GDPR, CCPA), and the potential for a complete website takeover if administrative credentials are stolen from the database.

Remediation Plan

Immediate Action:
Immediately update the Bricks theme to the latest patched version provided by the vendor. After applying the update, perform a security audit of the WordPress site. If the Bricks theme is installed but no longer in use, it should be deactivated and permanently removed to eliminate it as a potential attack vector.

Proactive Monitoring:
Monitor web server and Web Application Firewall (WAF) logs for suspicious requests targeting the ‘p’ parameter. Specifically, look for requests containing SQL keywords (e.g., SELECT, UNION, SLEEP, BENCHMARK) or an unusual number of special characters. Monitor database logs for an increase in slow queries or unexpected commands originating from the web server, which could indicate time-based injection attempts.

Compensating Controls:
If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a robust ruleset to detect and block SQL injection attacks. Ensure the WAF is in blocking mode, not just logging mode. Additionally, ensure the database user account used by the WordPress application operates with the principle of least privilege, restricting its ability to access or modify critical data outside of its intended function.

Exploitation Status

Public Exploit Available: False

Analyst Notes:
As of July 29, 2025, there are no known public proof-of-concept exploits or active malicious campaigns targeting this vulnerability. However, SQL injection is a well-understood attack technique, and it is highly probable that threat actors will develop exploits rapidly. Organizations should assume exploitation is imminent.

Analyst Recommendation
Given the high severity (CVSS 7.5) and the potential for unauthenticated remote data exfiltration, we strongly recommend that all organizations using the Bricks theme for WordPress treat this vulnerability with urgency. The recommended patch should be applied immediately. Although this CVE is not currently listed on the CISA KEV list, its critical nature makes it an attractive target for widespread, automated attacks. Proactive patching is the most effective defense against a potential data breach.

Executive Summary:
A high-severity vulnerability has been identified in Apache Struts, a widely used web application framework. An unauthenticated attacker can remotely exploit this flaw by sending specially crafted requests, causing temporary files to accumulate and exhaust all available disk space, leading to a denial of service that can render the application and potentially the entire server unavailable.

Vulnerability Details

CVE-ID: CVE-2025-64775

Affected Software: Apache Struts

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The vulnerability exists within the multipart request processing component of Apache Struts. When handling a multipart/form-data request (typically used for file uploads), the framework fails to properly clean up temporary files created during the process. An unauthenticated remote attacker can exploit this by sending a series of crafted requests, causing temporary files to be continuously created and left on the disk. This file leak eventually leads to disk exhaustion, preventing the application and other system services from writing new data, resulting in a complete denial of service.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation directly impacts service availability, which can lead to significant business disruption. An outage of critical web applications can result in direct financial loss, damage to the organization's reputation, and a negative customer experience. Since the attack is simple to execute and requires no authentication, any internet-facing application using a vulnerable version of Apache Struts is at high risk of being taken offline by malicious actors.

Remediation Plan

Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected systems immediately. After patching, review system and application access logs for any signs of exploitation attempts, such as an unusually high volume of POST requests with multipart/form-data content.

Proactive Monitoring: Implement continuous monitoring of disk space utilization on all servers running Apache Struts applications, with alerts configured for rapid or unexpected growth. Security teams should monitor web server logs and Web Application Firewall (WAF) logs for patterns indicative of an attack, such as a large number of multipart requests from a single source IP address in a short period.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to mitigate risk. Configure a Web Application Firewall (WAF) to rate-limit multipart POST requests. Additionally, consider implementing disk quotas for the user account running the application server to contain the impact of disk exhaustion and prevent it from affecting the entire operating system. A scheduled script to periodically clean the relevant temporary file directories can also serve as a temporary mitigation.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of December 1, 2025, proof-of-concept (PoC) exploit code is publicly available. Due to the simplicity of triggering this denial-of-service condition, the barrier for attackers is low. While there are no widespread campaigns observed at this time, targeted exploitation is highly likely given the prevalence of Apache Struts.

Analyst Recommendation

Given the high severity (CVSS 7.5), the public availability of exploit code, and the significant impact on service availability, it is strongly recommended that organizations prioritize the immediate patching of this vulnerability. All internet-facing systems running vulnerable versions of Apache Struts should be considered at critical risk. Although this CVE is not currently listed on the CISA KEV catalog, its potential for business disruption warrants an urgent response. If patching is delayed for any reason, compensating controls must be deployed without delay.

Executive Summary:
A critical vulnerability has been discovered in the hpke-js encryption library, a component used in multiple software products. This flaw, a race condition, can cause the encryption process to reuse the same cryptographic key (nonce), completely breaking the security of the encrypted messages. Successful exploitation could allow an attacker to decrypt sensitive communications and forge messages, leading to a total loss of data confidentiality and integrity.

Vulnerability Details

CVE-ID: CVE-2025-64767

Affected Software: Unknown Multiple Products

Affected Versions: All versions of hpke-js prior to 1.7.5

Vulnerability: The vulnerability is a race condition within the public SenderContext Seal() API of the hpke-js library. When multiple Seal() operations are called concurrently or in rapid succession, the underlying mechanism for generating a unique nonce (a number used only once) can fail, resulting in the same nonce being used for different messages. In AEAD (Authenticated Encryption with Associated Data) ciphers, nonce reuse is a catastrophic failure. An attacker who can capture two or more encrypted messages that were sealed with the same nonce can use cryptographic analysis to recover the authentication key, allowing them to decrypt all messages encrypted with that key and forge new, valid-looking messages.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.1. The business impact is severe, as the core promise of the encryption library—to protect data—is completely undermined. Exploitation could lead to the exposure of highly sensitive information, such as personally identifiable information (PII), financial records, intellectual property, or private communications, resulting in significant data breaches. The consequences include severe reputational damage, loss of customer trust, regulatory fines (e.g., under GDPR, HIPAA), and potential legal liability. Any business process relying on this library for secure data exchange is at high risk of compromise.

Remediation Plan

Immediate Action: Organizations must immediately identify all applications and systems that utilize the hpke-js library. The primary remediation is to update the library to the patched version 1.7.5 or later in all affected products. Following the update, security teams should actively monitor for any signs of exploitation attempts and review historical access and application logs for anomalous activity that might indicate a prior compromise.

Proactive Monitoring: Monitor application logs for any errors or unexpected behavior related to encryption and decryption functions. Network monitoring should be enhanced to detect unusual patterns in encrypted traffic or signs of data exfiltration. Since directly detecting nonce reuse in live traffic is difficult, focus on post-compromise indicators such as unauthorized access to data that was presumed to be securely encrypted.

Compensating Controls: If immediate patching is not feasible, consider implementing compensating controls. This could include adding an additional layer of encryption at the transport level (e.g., ensuring robust TLS 1.3 is enforced) to protect the ciphertext from being observed by an attacker. Additionally, restrict access to services using the vulnerable library and consider temporarily disabling non-essential features that rely on it until a patch can be deployed.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of the publication date of November 21, 2025, there is no known publicly available exploit code, and no active exploitation has been reported in the wild. However, the nature of nonce reuse vulnerabilities in cryptography is well-understood, and a skilled adversary could develop a functional exploit with relative ease given the right conditions.

Analyst Recommendation

Given the critical CVSS score of 9.1 and the fundamental cryptographic failure this vulnerability represents, immediate action is required. We strongly recommend that organizations prioritize identifying all internal and third-party products that use the hpke-js library. Once identified, these products must be patched to version 1.7.5 or a later version without delay. While this vulnerability is not currently listed on the CISA KEV list, its severity warrants treating it with the same level of urgency as a known exploited vulnerability.

Executive Summary:
A high-severity vulnerability has been identified in Zoom Workplace for Android, which could allow an attacker to bypass security permissions. Successful exploitation could grant an unauthorized user access to meetings or perform actions they are not permitted to, potentially exposing sensitive corporate communications and data. Organizations are urged to update all affected Android devices to the latest version of the application immediately to mitigate this risk.

Vulnerability Details

CVE-ID: CVE-2025-64741

Affected Software: Zoom Multiple Products

Affected Versions: Zoom Workplace for Android versions prior to 6.0

Vulnerability: The vulnerability is an improper authorization handling flaw within the Zoom Workplace application for Android. The application fails to correctly validate a user's permissions before allowing certain actions to be performed. An unauthenticated or low-privileged attacker could potentially exploit this by sending a specially crafted request to the application's backend services via the mobile client, bypassing normal authorization checks. This could allow the attacker to gain elevated privileges within a meeting, access restricted information, or perform actions on behalf of another user without proper consent.

Business Impact

This vulnerability presents a high severity risk with a CVSS score of 8.1. Exploitation could lead to significant business consequences, including the compromise of confidential information discussed in meetings, such as intellectual property, financial data, and strategic plans. Unauthorized access to meetings could result in corporate espionage, data breaches, and a severe loss of privacy. The potential for reputational damage is substantial, and a successful breach could lead to a loss of customer trust and potential regulatory penalties for non-compliance with data protection standards.

Remediation Plan

Immediate Action: The primary remediation is to apply the vendor-supplied security update across all corporate and BYOD Android devices. All instances of Zoom Workplace for Android must be upgraded to version 6.0 or later immediately. Following the update, security teams should review Zoom access and activity logs for any suspicious or unauthorized actions, particularly those originating from older versions of the Android client.

Proactive Monitoring: Implement enhanced monitoring of Zoom logs for anomalous behavior. Look for unusual meeting join/leave patterns, unexpected promotions of attendees to host/co-host roles, or API calls originating from outdated Android clients. Network monitoring should be configured to flag suspicious traffic patterns associated with the Zoom application on mobile devices.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Enforce mandatory Multi-Factor Authentication (MFA) for all Zoom accounts. Utilize a Mobile Device Management (MDM) solution to block application access from devices running vulnerable versions of Zoom. Educate users on meeting security best practices, such as using passcodes and waiting rooms, and instruct them to report any unusual in-meeting activity.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of November 14, 2025, there is no known public proof-of-concept exploit code available, and there are no reports of this vulnerability being actively exploited in the wild. However, due to the high-severity rating and the widespread use of Zoom, it is highly probable that threat actors will attempt to reverse-engineer the patch to develop an exploit.

Analyst Recommendation

Given the high CVSS score of 8.1 and the critical role Zoom plays in business communications, this vulnerability requires immediate attention. We strongly recommend that all organizations prioritize the deployment of the security update for Zoom Workplace for Android to version 6.0 or newer across all managed and unmanaged devices. Although this CVE is not currently listed on the CISA KEV catalog, its potential impact on confidentiality makes it a prime target for future exploitation. Swift and decisive patching is the most effective strategy to prevent the compromise of sensitive corporate data.

Executive Summary:
A high-severity vulnerability has been identified in the installer for the Zoom Workplace VDI Client for Windows. This flaw allows a user who is already logged into a workstation to gain elevated administrative privileges by exploiting improper signature verification. Successful exploitation could lead to a complete system compromise, enabling an attacker to install malware, steal sensitive data, and disrupt business operations.

Vulnerability Details

CVE-ID: CVE-2025-64740

Affected Software: Zoom Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The vulnerability exists within the installer component of the Zoom Workplace VDI Client. The installer fails to properly verify the cryptographic signature of all its components before execution. An attacker with local access to a system and standard user permissions could replace a legitimate file used by the installer with a malicious payload. When a privileged user or an automated deployment system runs the installer, the malicious payload is executed with the elevated permissions of the installer process, resulting in a local privilege escalation.

Business Impact

This vulnerability is rated as high severity with a CVSS score of 7.5. Exploitation allows an attacker to escalate their privileges from a standard user to a system administrator. This level of access could lead to severe consequences, including the deployment of ransomware, theft of confidential company data, installation of persistent backdoors for long-term access, and the ability to pivot to other critical systems on the corporate network. The direct risks to the organization include data breaches, regulatory fines, reputational damage, and significant operational downtime.

Remediation Plan

Immediate Action:

• Identify all Windows endpoints running the vulnerable Zoom Workplace VDI Client.
• Deploy the security updates provided by Zoom across all affected systems immediately to patch the vulnerability.
• Prioritize patching for systems used by privileged users and those handling sensitive data.

Proactive Monitoring:

• Monitor Windows Security Event Logs for anomalous privilege escalation events (e.g., Event ID 4672) and suspicious process creation originating from the Zoom installer process.
• Implement file integrity monitoring on directories where the Zoom installer unpacks its temporary files to detect unauthorized modifications.
• Review logs from Endpoint Detection and Response (EDR) solutions for any unusual behavior associated with Zoom processes, such as unexpected network connections or child processes being spawned.

Compensating Controls:

• Enforce the Principle of Least Privilege by ensuring that standard users do not have administrative rights on their workstations.
• Utilize application control or whitelisting solutions to prevent the execution of unauthorized executables from temporary or user-writable directories.
• Restrict user permissions to prevent writing files to system-level directories where installer components might be placed.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of November 14, 2025, there are no known public proof-of-concept exploits, and this vulnerability is not being actively exploited in the wild. The CISA KEV status is "No". However, local privilege escalation vulnerabilities are highly sought after by threat actors as they are a critical component in post-exploitation attack chains after initial access has been achieved.

Analyst Recommendation

Given the high severity (CVSS 7.5) of this vulnerability and its potential for complete system compromise, it is strongly recommended that the organization prioritize the immediate deployment of the vendor-supplied patches. Although there is no current evidence of active exploitation and it is not listed in the CISA KEV catalog, the risk of a local attacker gaining administrative control is significant. If immediate patching is not feasible, the compensating controls listed above should be implemented to reduce the attack surface and mitigate the risk of exploitation.

Executive Summary:
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in the Typebot open-source chatbot builder. This flaw allows authenticated users to force the server to make unauthorized requests to internal network resources, including the AWS metadata service, potentially leading to the theft of cloud credentials and complete compromise of the underlying Kubernetes cluster and associated cloud infrastructure.

Vulnerability Details

CVE-ID: CVE-2025-64709

Affected Software: Typebot is an Multiple Products

Affected Versions: Versions prior to 3.13.1

Vulnerability: The vulnerability exists within the webhook block (HTTP Request component) of Typebot. An authenticated attacker can configure a webhook to send a crafted HTTP request to an arbitrary URL from the Typebot server. Specifically, an attacker can target the internal AWS Instance Metadata Service (IMDS) endpoint at 169.254.169.254. The vulnerability allows the injection of custom headers, which enables the bypass of IMDSv2 protections, allowing the attacker to first request a session token and then use that token to retrieve temporary IAM credentials associated with the server's EKS node role. Possession of these credentials grants the attacker significant privileges within the AWS environment, potentially leading to full control over the Kubernetes cluster and other connected cloud resources.

Business Impact

This vulnerability is rated as critical with a CVSS score of 9.6, reflecting the high potential for catastrophic impact. Successful exploitation could lead to a complete compromise of the organization's cloud environment. Key risks include unauthorized access to and exfiltration of all data processed by the application and stored in the cloud, deployment of malicious software such as ransomware or cryptominers, service disruption or complete shutdown of production environments, and significant financial and reputational damage. The ability to gain control over the Kubernetes cluster allows for lateral movement and further attacks against the organization's infrastructure.

Remediation Plan

Immediate Action: Immediately upgrade all instances of Typebot to version 3.13.1 or later, which contains the patch for this vulnerability. After patching, review access logs and cloud audit logs (e.g., AWS CloudTrail) for any signs of compromise or unauthorized access originating from the Typebot server's IAM role.

Proactive Monitoring:

• Monitor outbound network traffic from Typebot servers/containers for any requests targeting the AWS IMDS endpoint (169.254.169.254).
• Implement alerting for any unusual or unexpected API calls made using the IAM role associated with the EKS nodes where Typebot is running.
• Regularly audit Typebot webhook configurations for any suspicious URLs pointing to internal or reserved IP addresses.

Compensating Controls:

• If immediate patching is not feasible, implement strict network egress policies on the Typebot pods/servers to block all traffic to 169.254.169.254.
• Review the IAM role attached to the EKS nodes and apply the principle of least privilege, ensuring it has only the absolute minimum permissions required to function.
• If the webhook feature is not in use, disable it entirely through application configuration to remove the attack vector.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Nov 13, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, the detailed nature of the vulnerability disclosure makes it highly likely that proof-of-concept code will be developed and used by threat actors in the near future.

Analyst Recommendation

Given the critical severity (CVSS 9.6) and the potential for complete infrastructure compromise, this vulnerability requires immediate attention. Organizations must prioritize applying the patch to upgrade all affected Typebot instances to version 3.13.1 or later. While this CVE is not currently listed on the CISA KEV catalog, its impact is severe enough to be treated with the highest urgency. In addition to patching, it is strongly recommended to implement compensating controls, such as network egress filtering, as a defense-in-depth measure to protect against this and similar SSRF vulnerabilities in the future.