CVE Trends

CVE-2025-24201 is a zero-day vulnerability found in Apple's WebKit browser engine. This vulnerability allows attackers to bypass the Web Content sandbox using maliciously crafted web content. It affects various Apple devices and operating systems, including iOS, macOS, iPadOS, visionOS, and Safari, as well as Linux and Windows systems where WebKit is utilized. The vulnerability is an out-of-bounds write issue, and Apple has addressed it with improved checks in updates iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. This zero-day vulnerability was reportedly exploited in highly sophisticated attacks targeting specific individuals before the release of iOS 17.2, which contained a partial mitigation. While the attacks were not widespread, Apple urges users to install the latest security updates to prevent further exploitation attempts. The vulnerability was discovered by Bill Marczak of The Citizen Lab at the University of Toronto. It affects a wide range of Apple devices, including iPhone XS and later, several iPad models, Macs running macOS Sequoia, and Apple Vision Pro.

CVE-2025-24985 is a remote code execution vulnerability in the Windows Fast FAT File System Driver. An attacker could exploit this vulnerability by convincing a target to mount a specially crafted virtual hard disk (VHD). Successful exploitation allows the attacker to execute arbitrary code on the system. This vulnerability affects Windows 10, Windows Server 2019, Windows Server 2022, and likely other versions of Windows. It was reported to Microsoft and patched in March 2025. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog as it has evidence of active exploitation. This vulnerability is caused by an integer overflow or wraparound within the Fast FAT Driver. Exploiting this vulnerability requires local access and user interaction. While technical details are not widely available, it's known that an exploit exists. Microsoft has released patches to address this vulnerability, and users are strongly encouraged to apply these patches as soon as possible.

CVE-2023-1389 is an unauthenticated command injection vulnerability found in the TP-Link Archer AX21 (AX1800) Wi-Fi router. The vulnerability exists in firmware versions prior to 1.1.4 Build 20230219. Exploitation is possible via a crafted POST request to the router's web management interface. Specifically, the vulnerability lies within the "country" parameter of a form accessible at the /cgi-bin/luci/;stok=/locale endpoint. Due to a lack of proper input sanitization, an attacker can inject arbitrary commands that are executed with root privileges via the `popen()` function. This allows an attacker to gain full control of the affected device. The vulnerability was initially used in a Pwn2Own competition in December 2022. It was later independently discovered by other researchers and publicly disclosed. TP-Link has released firmware version 1.1.4 Build 20230219 to address this issue. Despite the availability of a patch, the vulnerability continues to be actively exploited in the wild by various botnets, including Mirai, Moobot, AGoent, and Gafgyt. It is crucial for users of the affected router model to update their firmware to the latest version to mitigate the risk associated with this vulnerability.

CVE-2025-1661 is a local file inclusion (LFI) vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress, specifically versions up to and including 1.3.6.5. The vulnerability lies within the 'template' parameter of the `woof_text_search` AJAX action. This allows unauthenticated attackers to potentially include and execute arbitrary files on the server, which could enable them to execute PHP code within those files. Exploitation of this vulnerability could allow attackers to bypass access controls, access sensitive data, and potentially achieve remote code execution, particularly if the server allows uploads of image or other seemingly harmless file types that could contain embedded malicious code. As of March 11, 2025, there is no publicly available proof-of-concept exploit, nor is there evidence of active exploitation. However, technical details about the vulnerability are known.

CVE-2024-43451 is a spoofing vulnerability affecting Microsoft Windows and Windows Server. It enables attackers to obtain a user's NTLMv2 hash, which contains authentication credentials, through a "pass-the-hash" technique. This allows attackers to potentially impersonate the user and gain unauthorized access. The vulnerability involves creating a malicious URL file. When a user interacts with this file, such as right-clicking, deleting, or moving it, a connection to the attacker's server is established, leading to the leak of the NTLMv2 hash. Exploitation of this vulnerability requires minimal user interaction and was reportedly used in attacks targeting Ukrainian entities. The vulnerability was discovered in June 2024 and a patch was released by Microsoft on November 12, 2024. Users are strongly encouraged to apply the patch to mitigate the risk associated with CVE-2024-43451.

CVE-2025-27363 is a vulnerability found in FreeType versions 2.13.0 and below. It occurs when parsing font subglyph structures related to TrueType GX and variable font files. The issue stems from assigning a signed short value to an unsigned long, followed by adding a static value. This causes a wrap-around, resulting in a heap buffer that is too small being allocated. The vulnerability allows writing up to 6 signed long integers out of bounds relative to the undersized buffer. This out-of-bounds write can potentially lead to arbitrary code execution. It has been reported that this vulnerability may have been exploited in the wild.

CVE-2025-27152 is a vulnerability in Axios, a popular JavaScript HTTP client library used in both browser and Node.js environments. The flaw allows attackers to potentially perform Server-Side Request Forgery (SSRF) and leak sensitive credentials. This occurs because Axios improperly handles absolute URLs within requests. Even if a `baseURL` is configured, providing an absolute URL in a request will cause Axios to ignore the base and send the request directly to the specified absolute URL. This behavior can bypass security measures intended to restrict requests to specific domains or resources. Consequently, attackers could craft requests targeting internal network services or exfiltrate sensitive data such as API keys or credentials included in the requests. The vulnerability affects Axios versions up to and including 1.7.9 and has been addressed in version 1.8.2.

CVE-2025-24813 is a vulnerability affecting Apache Tomcat versions 9.0.0.M1 through 9.0.98, 10.1.0.M1 through 10.1.34, and 11.0.0.M1 through 11.0.2. It stems from an issue in how Tomcat handles partial PUT requests. Specifically, the vulnerability arises from the use of a temporary file based on user-supplied filenames and paths, where the path separator is replaced by a dot. This can potentially allow unauthorized access to sensitive files, injection of malicious content, or even remote code execution under certain conditions. Exploitation of this vulnerability requires a specific set of circumstances. For information disclosure or content injection, the default servlet must have write access enabled (it's disabled by default), partial PUT support must be enabled (which it is by default), and the target URL for sensitive uploads must be a subdirectory of a public upload URL. The attacker also needs to know the names of the sensitive files being uploaded via partial PUT. For remote code execution, the same conditions apply, with the addition of the application using Tomcat's file-based session persistence in the default location and including a library vulnerable to deserialization attacks.

CVE-2024-12297 is an authentication bypass vulnerability affecting Moxa PT switches and EDS-508A series running firmware version 3.11 and earlier. The vulnerability exists due to flaws in the authorization mechanism. While both client-side and back-end server verification are implemented, weaknesses exist that allow attackers to bypass these checks. Attackers may exploit this vulnerability through brute-force attacks to guess credentials or MD5 collision attacks to forge authentication hashes. Successful exploitation could allow unauthorized access to sensitive configurations or disruption of services. Moxa has released patches to address this vulnerability and recommends users update their firmware or apply suggested mitigation steps. These mitigations include minimizing network exposure, limiting SSH access to trusted sources, and implementing intrusion detection or prevention systems. Additional mitigations include using firewalls and access control lists to restrict communication and segregating operational networks from other networks.

CVE-2025-27636 is a bypass/injection vulnerability found in the Apache Camel Bean component. This vulnerability affects Apache Camel versions 4.10.0 through 4.10.1, 4.8.0 through 4.8.4, and 3.10.0 through 3.22.3. The issue arises when specific HTTP servers (camel-servlet, camel-jetty, camel-undertow, camel-platform-http, or camel-netty-http) are used in conjunction with the camel-bean producer, and the targeted bean has multiple methods. Due to a flaw in the header filtering mechanism, an attacker can manipulate header names to invoke unintended methods on the bean. Exploitation of this vulnerability is possible when a bean has multiple methods and is invoked using the camel-bean component together with specific HTTP servers. The vulnerability stems from a bug in the default filtering mechanism, which only blocks headers starting with "Camel," "camel," or "org.apache.camel." By modifying the casing of these prefixes, an attacker can bypass the filter and inject arbitrary headers, leading to the execution of unintended methods within the bean. Users are advised to upgrade to Apache Camel versions 4.10.2, 4.8.5, or 3.22.4, depending on their current version branch. As a mitigation, headers can be removed within Camel routes using methods like the removeHeaders EIP to filter out headers not adhering to the standard prefixes.