CVE Trends

CVE-2025-24071 involves the exposure of sensitive information in Windows File Explorer, potentially allowing an attacker to perform spoofing over a network. This vulnerability arises from how Windows Explorer handles specially crafted .library-ms files within RAR/ZIP archives. When such an archive is extracted, Windows Explorer automatically parses the .library-ms file due to its indexing and preview mechanisms. If the .library-ms file contains a SimpleLocation tag pointing to an attacker-controlled SMB server, Windows Explorer attempts to resolve this path, triggering an NTLM authentication handshake and potentially sending the victim's NTLMv2 hash without explicit user interaction. This implicit trust and automatic processing of certain file types upon extraction can be exploited to leak credentials.

CVE-2025-29927 is an authorization bypass vulnerability affecting Next.js, a React framework. It stems from the improper handling of the `x-middleware-subrequest` header. By exploiting this vulnerability, attackers can bypass authorization checks implemented in Next.js middleware. This flaw allows attackers to skip running the middleware, potentially allowing requests to bypass critical checks like authorization cookie validation before reaching routes. Self-hosted Next.js applications using Middleware are affected, specifically those relying on it for authentication or security checks. The vulnerability is fixed in Next.js versions 14.2.25 and 15.2.3.

CVE-2025-22224 is a critical vulnerability affecting VMware ESXi and Workstation products. It's a time-of-check to time-of-use (TOCTOU) race condition flaw that can lead to an out-of-bounds write within the VMCI (Virtual Machine Communication Interface). An attacker with local administrator privileges on a virtual machine can exploit this vulnerability to execute code as the virtual machine's VMX process running on the host. This vulnerability allows attackers to escalate privileges from a compromised virtual machine to the underlying host system. Successful exploitation could grant the attacker control over the entire ESXi host, potentially impacting other virtual machines running on the same server. This vulnerability is known to be actively exploited in the wild.

CVE-2025-25291 is an authentication bypass vulnerability found in ruby-saml, a Security Assertion Markup Language (SAML) single sign-on (SSO) library for Ruby. The vulnerability stems from a parser differential between ReXML and Nokogiri, where these parsers generate different document structures from the same XML input. This discrepancy allows an attacker to execute a Signature Wrapping attack. Specifically, the vulnerability exists because ReXML and Nokogiri parse XML differently, potentially leading to an authentication bypass. An attacker with access to a valid signed SAML document from the Identity Provider (IdP) could authenticate as another valid user within the environment's SAML IdP. This vulnerability affects GitLab CE/EE versions 17.9.0, 17.9.1, 17.8.0, 17.8.1, 17.8.2, 17.8.3, 17.8.4, 17.7.0, 17.7.1, 17.7.2, 17.7.3, 17.7.4, 17.7.5, 17.7.6, and below. Patched versions are available in ruby-saml versions 1.12.4 and 1.18.0.

CVE-2024-56346 affects IBM AIX versions 7.2 and 7.3. It is a vulnerability in the nimesis Network Installation Management (NIM) master service. The vulnerability is due to improper process controls, which could allow a remote attacker to execute arbitrary commands on the system. Exploitation of this vulnerability can be achieved remotely and does not require any privileges or user interaction.

CVE-2025-23120 is a vulnerability in Veeam Backup & Replication software that allows remote code execution (RCE) by authenticated domain users. It affects version 12.3.0.310 and all earlier version 12 builds. The vulnerability was discovered by Piotr Bazydlo of watchTowr. The vulnerability exists because of uncontrolled deserialization within the Veeam codebase. Specifically, it can be exploited by any user who belongs to the local users group on the Windows host of the Veeam server, or by any domain user if the server is joined to the domain. Veeam has addressed this flaw in Veeam Backup & Replication 12.3.1 (build 12.3.1.1139), and organizations are urged to apply the patch immediately.

CVE-2024-0402 is a vulnerability found in GitLab Community Edition (CE) and Enterprise Edition (EE). It affects versions 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. The vulnerability allows an authenticated user to write files to arbitrary locations on the GitLab server. This occurs when a user creates a workspace, due to improper limitation of a pathname to a restricted directory, also known as a path traversal issue.

CVE-2025-24813 is a vulnerability affecting Apache Tomcat versions 9.0.0.M1 through 9.0.98, 10.1.0.M1 through 10.1.34, and 11.0.0.M1 through 11.0.2. It stems from an issue in how Tomcat handles partial PUT requests. Specifically, the vulnerability arises from the use of a temporary file based on user-supplied filenames and paths, where the path separator is replaced by a dot. This can potentially allow unauthorized access to sensitive files, injection of malicious content, or even remote code execution under certain conditions. Exploitation of this vulnerability requires a specific set of circumstances. For information disclosure or content injection, the default servlet must have write access enabled (it's disabled by default), partial PUT support must be enabled (which it is by default), and the target URL for sensitive uploads must be a subdirectory of a public upload URL. The attacker also needs to know the names of the sensitive files being uploaded via partial PUT. For remote code execution, the same conditions apply, with the addition of the application using Tomcat's file-based session persistence in the default location and including a library vulnerable to deserialization attacks.

CVE-2024-55591 is an authentication bypass vulnerability affecting Fortinet's FortiOS and FortiProxy products. A remote, unauthenticated attacker can exploit this flaw by sending specially crafted requests to the Node.js websocket module. Successful exploitation grants the attacker super-admin privileges on the targeted device. The vulnerability affects FortiOS versions 7.0.0 through 7.0.16, FortiProxy versions 7.0.0 through 7.0.19, and FortiProxy versions 7.2.0 through 7.2.12. Fortinet confirmed active exploitation of this vulnerability as early as November 2024, with reports of attackers creating new user accounts, modifying firewall settings, and establishing SSL VPN tunnels for internal network access. This vulnerability has been assigned a CVSSv3 score of 9.6, indicating its critical nature.

CVE-2024-48248 is an absolute path traversal vulnerability found in NAKIVO Backup & Replication software versions before 11.0.0.88174. This vulnerability allows an unauthenticated attacker to read arbitrary files on the target host. The vulnerability is located in the `/c/router` endpoint, which can be exploited via `getImageByPath`. Successful exploitation of CVE-2024-48248 can lead to the exposure of sensitive information, including configuration files, backups, and credentials. This could potentially lead to data breaches or further security compromises. The vulnerability has been addressed in version 11.0.0.88174 of NAKIVO Backup & Replication.