CVE Trends

CVE-2025-24813 is a vulnerability affecting Apache Tomcat versions 9.0.0.M1 through 9.0.98, 10.1.0.M1 through 10.1.34, and 11.0.0.M1 through 11.0.2. It stems from an issue in how Tomcat handles partial PUT requests. Specifically, the vulnerability arises from the use of a temporary file based on user-supplied filenames and paths, where the path separator is replaced by a dot. This can potentially allow unauthorized access to sensitive files, injection of malicious content, or even remote code execution under certain conditions. Exploitation of this vulnerability requires a specific set of circumstances. For information disclosure or content injection, the default servlet must have write access enabled (it's disabled by default), partial PUT support must be enabled (which it is by default), and the target URL for sensitive uploads must be a subdirectory of a public upload URL. The attacker also needs to know the names of the sensitive files being uploaded via partial PUT. For remote code execution, the same conditions apply, with the addition of the application using Tomcat's file-based session persistence in the default location and including a library vulnerable to deserialization attacks.

CVE-2024-55591 is an authentication bypass vulnerability affecting Fortinet's FortiOS and FortiProxy products. A remote, unauthenticated attacker can exploit this flaw by sending specially crafted requests to the Node.js websocket module. Successful exploitation grants the attacker super-admin privileges on the targeted device. The vulnerability affects FortiOS versions 7.0.0 through 7.0.16, FortiProxy versions 7.0.0 through 7.0.19, and FortiProxy versions 7.2.0 through 7.2.12. Fortinet confirmed active exploitation of this vulnerability as early as November 2024, with reports of attackers creating new user accounts, modifying firewall settings, and establishing SSL VPN tunnels for internal network access. This vulnerability has been assigned a CVSSv3 score of 9.6, indicating its critical nature.

CVE-2025-24472 is an authentication bypass vulnerability found in Fortinet's FortiOS and FortiProxy products. It allows unauthorized remote attackers to gain super-admin privileges by sending specially crafted requests to the system's CSF proxy. The affected versions are FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Fortinet has addressed this vulnerability; users should update to FortiOS 7.0.17 or later, and FortiProxy 7.0.20/7.2.13 or later. This vulnerability was disclosed on February 11, 2025, and added to an existing advisory regarding another authentication bypass vulnerability, CVE-2024-55591, which affected the same Fortinet products. While initial reports indicated active exploitation, Fortinet clarified that CVE-2025-24472 itself has not been seen exploited in the wild, although CVE-2024-55591 has been. Patches for both vulnerabilities are available, and users who had previously patched their systems against CVE-2024-55591 are already protected against CVE-2025-24472. Workarounds such as disabling the HTTP/HTTPS administrative interface or restricting access to it by IP address are also available.

CVE-2025-21298 is a critical vulnerability in Windows Object Linking and Embedding (OLE) that can lead to remote code execution. This flaw allows attackers to execute code on a victim's machine remotely, without requiring any interaction from the victim (zero-click). Exploitation can be achieved by sending a specially crafted email, often containing a malicious Rich Text Format (RTF) document, to a user of Microsoft Outlook. Simply opening or previewing the email can trigger the vulnerability. The technical root cause lies within the `ole32.dll` file, specifically in the `UtOlePresStmToContentsStm` function. A double-free error in this function, which handles embedded OLE objects within RTF files, allows for memory manipulation, enabling the execution of malicious code. Proof-of-concept exploits demonstrating memory corruption have been publicly released. This vulnerability has a CVSS score of 9.8, highlighting its severity.

CVE-2025-26319 is an arbitrary file upload vulnerability found in FlowiseAI Flowise v2.2.6, specifically in the `/api/v1/attachments` endpoint. This vulnerability allows unauthenticated attackers to upload arbitrary files to Flowise servers. The vulnerability stems from a lack of proper validation of user-supplied parameters in the file upload route. By manipulating these parameters, attackers can bypass security checks and perform path traversal, potentially overwriting critical files. Successful exploitation could lead to remote code execution and complete server compromise, including modification of API keys and unauthorized access to sensitive data.

CVE-2025-25291 is an authentication bypass vulnerability found in ruby-saml, a Security Assertion Markup Language (SAML) single sign-on (SSO) library for Ruby. The vulnerability stems from a parser differential between ReXML and Nokogiri, where these parsers generate different document structures from the same XML input. This discrepancy allows an attacker to execute a Signature Wrapping attack. Specifically, the vulnerability exists because ReXML and Nokogiri parse XML differently, potentially leading to an authentication bypass. An attacker with access to a valid signed SAML document from the Identity Provider (IdP) could authenticate as another valid user within the environment's SAML IdP. This vulnerability affects GitLab CE/EE versions 17.9.0, 17.9.1, 17.8.0, 17.8.1, 17.8.2, 17.8.3, 17.8.4, 17.7.0, 17.7.1, 17.7.2, 17.7.3, 17.7.4, 17.7.5, 17.7.6, and below. Patched versions are available in ruby-saml versions 1.12.4 and 1.18.0.

CVE-2025-25292 is an authentication bypass vulnerability found in the ruby-saml library, which is used by GitLab for SAML single sign-on (SSO). The vulnerability exists due to a parser differential between ReXML and Nokogiri, which can lead to different document structures being generated from the same XML input. This difference in parsing allows an attacker with a valid signed SAML document to potentially execute a Signature Wrapping attack and authenticate as another valid user within the SAML Identity Provider (IdP) environment. The vulnerability affects GitLab CE/EE versions 17.9.0, 17.9.1, 17.8.0, 17.8.1, 17.8.2, 17.8.3, 17.8.4, 17.7.0, 17.7.1, 17.7.2, 17.7.3, 17.7.4, 17.7.5, 17.7.6, and below. Patches are available in versions 1.12.4 and 1.18.0 of ruby-saml and GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2.

CVE-2025-24201 is a zero-day vulnerability found in Apple's WebKit browser engine. This vulnerability allows attackers to bypass the Web Content sandbox using maliciously crafted web content. It affects various Apple devices and operating systems, including iOS, macOS, iPadOS, visionOS, and Safari, as well as Linux and Windows systems where WebKit is utilized. The vulnerability is an out-of-bounds write issue, and Apple has addressed it with improved checks in updates iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. This zero-day vulnerability was reportedly exploited in highly sophisticated attacks targeting specific individuals before the release of iOS 17.2, which contained a partial mitigation. While the attacks were not widespread, Apple urges users to install the latest security updates to prevent further exploitation attempts. The vulnerability was discovered by Bill Marczak of The Citizen Lab at the University of Toronto. It affects a wide range of Apple devices, including iPhone XS and later, several iPad models, Macs running macOS Sequoia, and Apple Vision Pro.

CVE-2025-24985 is a remote code execution vulnerability in the Windows Fast FAT File System Driver. An attacker could exploit this vulnerability by convincing a target to mount a specially crafted virtual hard disk (VHD). Successful exploitation allows the attacker to execute arbitrary code on the system. This vulnerability affects Windows 10, Windows Server 2019, Windows Server 2022, and likely other versions of Windows. It was reported to Microsoft and patched in March 2025. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog as it has evidence of active exploitation. This vulnerability is caused by an integer overflow or wraparound within the Fast FAT Driver. Exploiting this vulnerability requires local access and user interaction. While technical details are not widely available, it's known that an exploit exists. Microsoft has released patches to address this vulnerability, and users are strongly encouraged to apply these patches as soon as possible.

CVE-2025-21590 is an Improper Isolation or Compartmentalization vulnerability that exists in the kernel of Juniper Networks Junos OS. It allows a local attacker with high privileges and access to the shell to compromise the integrity of the device. Specifically, a local attacker can inject arbitrary code, which can then compromise the affected device. The vulnerability is not exploitable from the Junos CLI. It affects Junos OS versions before 21.2R3-S9, 21.4 versions before 21.4R3-S10, 22.2 versions before 22.2R3-S6, 22.4 versions before 22.4R3-S6, 23.2 versions before 23.2R2-S3, 23.4 versions before 23.4R2-S4, and 24.2 versions before 24.2R1-S2, as well as version 24.2R2.