CVE Trends

CVE-2025-29927 is an authorization bypass vulnerability affecting Next.js, a React framework. It stems from the improper handling of the `x-middleware-subrequest` header. By exploiting this vulnerability, attackers can bypass authorization checks implemented in Next.js middleware. This flaw allows attackers to skip running the middleware, potentially allowing requests to bypass critical checks like authorization cookie validation before reaching routes. Self-hosted Next.js applications using Middleware are affected, specifically those relying on it for authentication or security checks. The vulnerability is fixed in Next.js versions 14.2.25 and 15.2.3.

CVE-2025-26633 is a security feature bypass vulnerability in the Microsoft Management Console (MMC). It stems from improper neutralization within the MMC, allowing an unauthorized attacker to bypass security restrictions locally. The vulnerability is being actively exploited in the wild by a threat actor known as Water Gamayun (also known as EncryptHub and Larva-208) in a campaign called "MSC EvilTwin". This technique involves the execution of malicious .msc files through a legitimate one by manipulating the Multilingual User Interface Path (MUIPath) to load and execute a malicious file instead of the original one.

CVE-2025-24201 is a zero-day vulnerability found in Apple's WebKit browser engine. This vulnerability allows attackers to bypass the Web Content sandbox using maliciously crafted web content. It affects various Apple devices and operating systems, including iOS, macOS, iPadOS, visionOS, and Safari, as well as Linux and Windows systems where WebKit is utilized. The vulnerability is an out-of-bounds write issue, and Apple has addressed it with improved checks in updates iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. This zero-day vulnerability was reportedly exploited in highly sophisticated attacks targeting specific individuals before the release of iOS 17.2, which contained a partial mitigation. While the attacks were not widespread, Apple urges users to install the latest security updates to prevent further exploitation attempts. The vulnerability was discovered by Bill Marczak of The Citizen Lab at the University of Toronto. It affects a wide range of Apple devices, including iPhone XS and later, several iPad models, Macs running macOS Sequoia, and Apple Vision Pro.

CVE-2025-24085 is a use-after-free vulnerability found in Apple's CoreMedia framework, a key component responsible for processing audio and video data across various Apple operating systems (iOS, macOS, tvOS). This flaw allows malicious applications already present on a device to escalate their privileges, potentially granting them unauthorized access to system resources. Exploitation is reportedly easy and can be initiated remotely. This vulnerability has been actively exploited in attacks targeting iOS versions prior to 17.2. Apple has addressed this issue with improved memory management in security updates released for affected operating systems. While the specific details of the exploit remain undisclosed, it's crucial for users to update their devices to mitigate the risk associated with this vulnerability.

CVE-2024-25600 is a Remote Code Execution (RCE) vulnerability affecting the Bricks Builder plugin for WordPress. This vulnerability exists in versions up to and including 1.9.6. The vulnerability stems from improper handling of user input within the Bricks Builder plugin, which allows unauthenticated attackers to inject and execute arbitrary PHP code remotely on the server. Exploitation could lead to full site compromise, data theft, and potential malware distribution. A patch addressing this vulnerability has been released in Bricks Builder plugin version 1.9.6.1 or higher.

CVE-2024-27956 is an SQL Injection vulnerability affecting the WordPress Automatic plugin by ValvePress, specifically versions up to 3.92.0. The vulnerability stems from improper neutralization of special elements used in an SQL command. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized access to websites, creation of admin-level user accounts, uploading malicious files, and ultimately, taking full control of affected sites. It has been reported that attackers are actively exploiting this vulnerability.

CVE-2024-20439 is a vulnerability in the Cisco Smart Licensing Utility. It stems from an undocumented static user credential for an administrative account. An unauthenticated, remote attacker could exploit this vulnerability by using the static credentials to log in to an affected system. Successful exploitation could allow the attacker to log in with administrative privileges over the API of the Cisco Smart Licensing Utility application. Cisco has released software updates to address this vulnerability.

CVE-2025-1219 is a vulnerability in PHP that affects versions 8.1 before 8.1.32, 8.2 before 8.2.28, 8.3 before 8.3.19, and 8.4 before 8.4.5. It occurs when requesting an HTTP resource using the DOM or SimpleXML extensions. The vulnerability stems from the incorrect handling of the content-type header when a redirected resource is requested. Specifically, the wrong content-type header is used to determine the charset. This can lead to the resulting document being parsed incorrectly or bypassing validations. This issue arises because, during HTTP redirects, PHP doesn't properly clear previously captured headers, potentially leading to the use of a content-type header that doesn't correspond to the final HTML body.

CVE-2025-0282 is a stack-based buffer overflow vulnerability that affects several Ivanti network appliances, including Ivanti Connect Secure (versions prior to 22.7R2.5), Ivanti Policy Secure (versions prior to 22.7R1.2), and Ivanti Neurons for ZTA gateways (versions prior to 22.7R2.3). This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on affected systems. Exploitation of this vulnerability was first observed in mid-December 2024, and Ivanti disclosed the vulnerability on January 8, 2025. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog. It appears the vulnerability is related to the handling of IFT (IF-T) connections.