Security Advisory

Security Advisory

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-06-10 
No. of Vulnerabilities Patched 67 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client. 

  • 67 Microsoft CVEs addressed 
  • 3 non-Microsoft CVEs addressed 

Breakdown of May 2025 Vulnerabilities 

  • 25 Remote Code Execution (RCE) 
  • 17 Information Disclosure 
  • 14 Elevation of Privilege (EoP) 
  • 6 Denial of Service (DoS)  
  • 3 Security Feature Bypass 
  • 2 Spoofing 
  • 2 Chromium (Edge) Vulnerabilities 
  • 1 Windows Secure Boot 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebDAV Remote Code Execution (Exploited in the wild)  CVE-2025-33053 Windows High 8.8 
SMB Client Elevation of Privilege (Publicly disclosed) CVE-2025-33073 Windows  High 8.8 

Technical Summary 

Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-33053 Windows 10,11 and Windows Server WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low. Remote Code Execution 
CVE-2025-33073 Windows 10,11 and Windows Server EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible. Elevation of Privilege  

Source: Microsoft and NVD 

In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed: 

  • CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4) 
  • CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8) 
  • CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1) 
  • CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1) 
  • CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8) 
  • CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8) 
  • CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8) 
  • CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8) 
  • CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5) 

Remediation

  • Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks. 

General Recommendations: 

  • Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution. 
  • Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure. 
  • Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073. 
  • Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems. 
  •  Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule. 

Conclusion: 

Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.

Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency. 

References

Security Advisory

Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited 

Summary :

A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.

OEM Fortinet 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-32756 
POC Available Yes 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices. 

Vulnerability Name CVE ID Product Affected Severity 
Remote Code Execution Vulnerability  CVE-2025-32756 Fortinet Products  Critical 

Technical Summary 

CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.

This allows attackers to trigger a stack-based buffer overflow and execute arbitrary code remotely without requiring authentication. 

The exploit is publicly available as a Python script that sends a specially crafted HTTP POST request targeting the vulnerable endpoint. Upon successful exploitation, attackers can achieve full system control. Fortinet has confirmed that this vulnerability is being actively exploited in the wild, particularly targeting FortiVoice and other Fortinet appliances. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-32756  FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera Stack-based buffer overflow via enc parameter in AuthHash cookie. Exploit uses a crafted POST request to /remote/hostcheck_validate.   Remote Code Execution, Full device takeover, persistence, data theft, log erasure. 

Remediation

  • Update Immediately: Apply the latest security patches provided by Fortinet. 
  • FortiVoice: 7.2.1+ / 7.0.7+ / 6.4.11+ 
  • FortiMail: 7.6.3+ / 7.4.5+ / 7.2.8+ / 7.0.9+ 
  • FortiNDR: 7.6.1+ / 7.4.8+ / 7.2.5+ / 7.0.7+ 
  • FortiRecorder: 7.2.4+ / 7.0.6+ / 6.4.6+ 
  • FortiCamera: 2.1.4+ 
  • Disable Admin Interfaces (HTTP/HTTPS) as a temporary workaround 

Indicator of Compromise 

For a list of observed Indicators of Compromise (IOCs), including malicious IP addresses, backdoor file paths and payload hashes, refer to the table below:  

IP Addresses FileHash-MD5 
156.236.76.90 2c8834a52faee8d87cff7cd09c4fb946 
198.105.127.124 4410352e110f82eabc0bf160bec41d21 
218.187.69.244 489821c38f429a21e1ea821f8460e590 
218.187.69.59 ebce43017d2cb316ea45e08374de7315 
43.228.217.173 364929c45703a84347064e2d5de45bcd 
43.228.217.82   

Conclusion: 
CVE-2025-32756 poses a severe threat to Fortinet users, with confirmed in-the-wild exploitation and publicly available PoC.

Organizations must patch all affected systems immediately, audit for compromise indicators, and block known malicious IPs. The vulnerability’s high impact and ease of exploitation warrant urgent action to prevent widespread breaches and data loss. 

These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.

Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.

References

Security Advisory

POC Released for Critical RCE Vulnerability in AWS Amplify Codegen-UI  

Summary: A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.

OEM AWS 
Severity Critical 
CVSS Score 9.5 
CVEs CVE-2025-4318 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A critical vulnerability has been discovered in AWS Amplify Studio’s UI generation tool, @aws-amplify/codegen-ui, which allows Remote Code Execution (RCE) during build or render time.

Tracked as CVE-2025-4318, this flaw originates from unsafe evaluation of user-defined JavaScript expressions without proper input validation or sandboxing.

It has been assigned a CVSS score of 9.5. Exploitation could lead to unauthorized command execution, leakage of AWS secrets, or full compromise of CI/CD environments. AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Unsafe Expression Evaluation in Codegen-UI  CVE-2025-4318 @aws-amplify/codegen-ui  Critical  2.20.3 

Technical Summary 

The vulnerability stems from how AWS Amplify Studio processed dynamic expressions defined in component fields (eg: label, placeholder).

In affected versions, these expressions were directly evaluated using eval() without any filtering or validation, assuming they were safe.

This behavior enabled attackers to inject malicious code into UI schemas that would execute during the build or runtime process particularly dangerous in CI/CD pipelines where secrets and environment variables are accessible. 

A working Proof-of-Concept (PoC) has been developed and shared by researchers, which simulates the exploit using a crafted JSON component, a Node.js script and a Python server. The PoC demonstrates successful RCE via malicious input evaluated by the vulnerable tool. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-4318  AWS Amplify Studio (<=2.20.2) Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting.    RCE, exposure of secrets, CI/CD compromise, unauthorized system control 

Remediation

Upgrade Immediately: Update @aws-amplify/codegen-ui to version 2.20.3 or later, which replaces unsafe evaluation logic with a sandboxed function (safeEval) and a keyword blacklist. 

Conclusion: 
CVE-2025-4318 is a severe RCE vulnerability in AWS Amplify Studio caused by unsafe evaluation of JavaScript expressions during UI component rendering or generation.

A fully functional PoC exploit has been published, which clearly demonstrates the risk of using eval() in dynamic application code without input validation. 

The fixed version mitigates this risk by introducing a sandboxed evaluation mechanism and filtering dangerous keywords. Organizations using Amplify Studio should upgrade immediately and audit all inputs and build processes for safety. 

AWS security teams have advised developers to immediately upgrade to version 2.20.3 or later and audit all existing component schemas for potentially unsafe expressions.

The incident highlights the critical importance of implementing secure coding practices in low-code development platforms where user input directly influences code generation and execution processes.

References

Security Advisory

Critical Credential Reuse Vulnerability in Cisco ISE Cloud Deployments 

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 9.9 
CVEs CVE-2025-20286 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed a critical vulnerability in Identity Services Engine (ISE) cloud deployments that allows unauthenticated remote attackers to gain administrative access across multiple instances due to improperly generated static credentials.

Tracked as CVE-2025-20286, with a CVSS score of 9.9, this flaw affects ISE deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco has released hotfixes and announced permanent fixes for impacted versions. 

Vulnerability Name CVE ID Product Affected Severity 
​Cisco ISE Shared Credential Vulnerability  CVE-2025-20286 Cisco ISE   Critical 

Technical Summary 

The vulnerability stems from improper generation of credentials during the setup of Cisco ISE on cloud platforms. Each deployment of the same ISE version on a given platform (eg – AWS 3.1) shares identical static credentials. This oversight enables an attacker to extract credentials from one deployment and reuse them to access others, if network access is available. 

This issue is only to cloud-hosted Primary Administration nodes. Traditional on-premises deployments or hybrid setups with local admin nodes are not affected. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-20286  Cisco ISE 3.1 – 3.4 Static credentials reused across same-version cloud deployments. Credentials can be extracted from one instance and reused across others on the same cloud platform   Access sensitive data 

Remediation

Apply Hotfix Immediately: Install the universal hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz on ISE versions 3.1 to 3.4. 

Cisco ISE Release Hot Fix First Fixed Release 
3.0 and earlier Not applicable. Not affected. 
3.1 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz Migrate to a fixed release. 
This hot fix applies to Releases 3.1 through 3.4. 
3.2 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz Migrate to a fixed release. 
This hot fix applies to Releases 3.1 through 3.4. 
3.3 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz 3.3P8 (November 2025) 
This hot fix applies to Releases 3.1 through 3.4. 
3.4 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz 3.4P3 (October 2025) 
This hot fix applies to Releases 3.1 through 3.4. 
3.5 Not applicable. Planned release (Aug 2025) 

Conclusion: 
CVE-2025-20286 presents a severe security risk to organizations using Cisco ISE on public cloud platforms. By exploiting shared static credentials, attackers can potentially move laterally between cloud deployments.

Although no active exploitation has been reported, a proof-of-concept (PoC) exploit is available, heightening the urgency for remediation. 

Organizations should apply hotfixes immediately, upgrade to secured versions, and tighten cloud network access policies to mitigate the risk. On-premises and hybrid deployments remain unaffected, offering a safer architectural alternative. 

References

Security Advisory

Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform 

Summary 

Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.

OEM Cisco 
Severity MEDIUM 
CVSS Score 4.3 
CVEs CVE-2025-20297 
CWEs CWE-79 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.

This issue allows low privileged users to execute unauthorized JavaScript code in a victim’s browser using a specific Splunk feature that generates Pdf from dashboards.

Although the vulnerability is rated as Medium (CVSS 4.3) but it could be a significant risk in environments where Splunk Web is widely accessed by users. 

The vulnerability specifically targets instances with Splunk Web enabled, which represents the majority of production deployments given the component’s central role in dashboard management and user interface functionality.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Reflected Cross Site Scripting  CVE-2025-20297 Splunk Enterprise & Cloud  Medium  Check the remediation section. 

Technical Summary 

The vulnerability lies in the pdfgen/render REST endpoint used to create dashboard PDFs. In vulnerable versions, a low \privileged user (not an admin or power user) can inject a malicious script via this endpoint.

If a legitimate user interacts with the resulting PDF or link, their browser may execute the injected script without their consent, this is working as reflected XSS. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-20297  Splunk Enterprise & Cloud multiple versions Low-privileged users can exploit the pdfgen/render endpoint to inject unauthorized JavaScript code into a victim’s browser. Code Execution/Reflected xss. 

Remediation

Splunk has released updates, that addressed the vulnerability:  

  • Splunk Enterprise: Upgrade to version 9.4.2, 9.3.4, 9.2.6, 9.1.9 or latest. 
  • Splunk Cloud Platform: Upgrade to version 9.3.2411.102, 9.3.2408.111, 9.2.2406.118 or latest. 

If you cannot upgrade immediately, you can disable Splunk Web to prevent exploitation. For this you can review the web.conf configuration file and follow the Splunk guidance on disabling unnecessary components. 

Disabling Splunk Web may impact users who rely on the web interface so consider access controls or network-based restrictions as temporary mitigations. 

Conclusion: 
While CVE-2025-20297 is rated as a medium severity vulnerability, it should not be ignored in the environments where many users interact with Splunk dashboards. Attackers with limited permissions could potentially target higher privileged users by modifying malicious links or payloads. 

Organizations should prioritize upgrading Splunk to the fixed versions or implementing the workarounds immediately.

Even though this vulnerability requires some user interaction, the risks include unauthorized access to sensitive data through potential session hijacking. 

While Splunk has not provided specific detection methods for this vulnerability, organizations should monitor access patterns to the pdfgen/render endpoint and review user privilege assignments to minimize potential exposure

This vulnerability poses a significant risk to organizations relying on Splunk’s data analytics platform for security monitoring and business intelligence operations.

References

Security Advisory

High Risk DoS Vulnerability in ModSecurity WAF 

Summary 

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.

OEM ModSecurity 
Severity HIGH 
CVSS Score 7.5 
CVEs CVE-2025-48866 
CWEs CWE-1050 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A Denial of Service (DoS) vulnerability has been identified in ModSecurity, an open-source web application firewall (WAF) used with Apache, Nginx and IIS.

The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10. 

There is no user interaction required to trigger, exploiting it can lead to significant resource consumption, resulting in service disruption. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Denial of Service (DoS) vulnerability  CVE-2025-48866 Modsecurity WAF  High  v2.9.10 

Technical Summary 

The vulnerability arises from the behavior of the “sanitiseArg” (also referred to as “sanitizeArg”) action in ModSecurity. This action sanitizes a specific argument passed to a rule (e.g.- password), masking it in the logs by replacing its value with asterisks (*). 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-48866  ModSecurity (mod_security2.x) prior to v2.9.10 When a rule uses the sanitiseArg action, it processes each argument that matches the specified name (e.g – password).  If a large number of matching arguments (e.g.- 500 or more) are passed, ModSecurity repeatedly adds them to memory, which can lead to excessive memory consumption and potentially crash the system. System crashes due to resource exhaustion (DoS)   

Remediation

Apply Patches Promptly: Upgrade to ModSecurity version 2.9.10 or the latest one. 

Avoid using the “sanitizeArg” or “sanitizeArg” actions in your rules. If these actions are not used, the engine will not be affected by the vulnerability.  

Conclusion: 
This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection. 

Although the vulnerability is rated as high, it requires a specific set of conditions to be exploited. But to ensure the continued stability and security of web applications, the fix needs to be applied as soon as possible. 

References

Security Advisory

Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security 

Summary : Security Advisory

Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.

The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.

OEM IBM 
Severity Critical 
CVSS Score 9.6 
CVEs CVE-2025-25022, CVE-2025-2502, CVE-2025-25020, CVE-2025-25019, CVE-2025-1334 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These include risks such as remote code execution, information disclosure, session hijacking, and denial of service. The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Information Disclosure Vulnerability  CVE-2025-25022 IBM Cloud Pak, QRadar Suite  9.6  Critical 
Code Execution Vulnerability  CVE-2025-25021 IBM QRadar SIEM  7.2  High 
Denial of Service Vulnerability  CVE-2025-25020 IBM QRadar SIEM  6.5  Medium 
Session Hijacking Vulnerability  CVE-2025-25019 IBM QRadar SIEM  4.8  Medium 
Web Cache Disclosure Vulnerability  CVE-2025-1334 IBM QRadar Suite  4.0  Medium 

Technical Summary 

The identified vulnerabilities affect both the IBM QRadar Suite and Cloud Pak, exposing them to a variety of threats such as unauthorized access, arbitrary code execution, and denial of service.

These flaws arise from weaknesses in session handling, code generation, API validation, and file configuration security. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-25022   QRadar SIEM Unauthenticated access to sensitive config files due to poor protections.   Information disclosure, RCE 
   CVE-2025-25021    QRadar SIEM Privileged code execution due to improper script code generation in case management.   Remote Code Execution 
  CVE-2025-25020   QRadar SIEM API input validation flaw allowing service crash via malformed data   Denial of Service 
   CVE-2025-25019    QRadar SIEM Sessions not invalidated upon logout, enabling impersonation by attackers. Session Hijacking 
  CVE-2025-1334   QRadar Suite Cached web content readable by other users, compromising multi-user data confidentiality. Local Info Disclosure 

Remediation

  • Apply Latest Fix: Upgrade to IBM QRadar Suite Software and Cloud Pak version 1.11.3.0 or later. 

Refer to IBM’s official installation and upgrade documentation for detailed steps.  

Conclusion: 
These vulnerabilities pose significant security risks, especially CVE-2025-25022 with a critical severity score of 9.6. Organizations using the affected IBM QRadar and Cloud Pak versions should prioritize upgrading to latest version to mitigate exposure.

IBM has acknowledged these issues and released patches to address all five vulnerabilities. 

Notably, IBM has identified no effective workarounds or mitigations for these vulnerabilities, making patching the only viable protection strategy.

References

Security Advisory

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited  

Summary 

OEM Qualcomm 
Severity HIGH 
CVSS Score 8.6 
CVEs CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Incorrect Authorization Vulnerability  CVE-2025-21479 Qualcomm Adreno GPU Driver  8.6  High 
Incorrect Authorization Vulnerability  CVE-2025-21480 Qualcomm Adreno GPU Driver  8.6  High 
Use-After-Free Vulnerability  CVE-2025-27038 Qualcomm Adreno GPU Driver  7.5  High 

Technical Summary 

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21479   Android (Adreno GPU) Unauthorized command execution during specific GPU microcode sequences causes memory corruption.   Privilege escalation, system compromise. 
   CVE-2025-21480    Android (Adreno GPU) Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.   Memory corruption, remote code execution. 
  CVE-2025-27038   Android (Chrome/Adreno) Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.   Arbitrary code execution. 

Recommendations

  • Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers. 
  • Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available. 
  • Apply Security Updates: Users should ensure their Android devices receive the latest security updates. 
  • Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels. 

Conclusion: 
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide. 

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation. 

References

 

Security Advisory

Google Chrome Patches Actively Exploited Zero-Day Vulnerability 

Summary : Security Advisory

Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

Rated as high-severity zero-day vulnerability in the V8 JavaScript engine that is currently being actively exploited in the wild.

OEM Google 
Severity HIGH 
CVSS Score 8.8 
CVEs CVE-2025-5419 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This vulnerability allows attackers to execute arbitrary code on users’ systems through specially crafted web content, making it a serious threat requiring immediate attention. 

In addition to the zero-day fix, this update also includes a patch for CVE-2025-5068, a medium severity use-after-free vulnerability in Blink, chrome’s rendering engine.

While less critical, such flaws can still result in memory corruption and possible code execution. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Out-of-bounds memory access vulnerability  CVE-2025-5419 Google Chrome  High  137.0.7151.68/.69 (Win/Mac), 137.0.7151.68 (Linux) 

Technical Summary 

This high-severity vulnerability is caused by an out-of-bounds read and write weakness in Chrome’s V8 JavaScript engine, reported one week ago by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group.

This flaw affects the V8 JavaScript engine and allows attackers to execute arbitrary code via crafted web content.

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-5419  Chrome (all platforms) Out-of-bounds read and write in the V8 JavaScript engine; triggered via malicious HTML   Arbitrary code execution, memory compromise, remote attack 

Remediation

Apply Patches Promptly: Upgrade to Chrome version 137.0.7151.68/.69 or later for Windows and macOS, and 137.0.7151.68 or later for Linux to mitigate the vulnerabilities. 

General Recommendation: 

  • Prioritize Zero-Day Fixes: Treat this patch as high priority due to confirmed in-the-wild exploitation. Immediate action is critical to prevent potential system compromise. 
  • Update Chromium-Based Browsers: Ensure Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are updated as soon as vendor-specific patches are released. 
  • Automate Browser Updates: Enable automatic updates in Chrome and Chromium environments to maintain timely patching against emerging threats. 
  • Enterprise Patch Rollout: Administrators should fast-track deployment of the fixed version across all endpoints, particularly in high-risk or externally exposed environments. 
  • Monitor for Threat Activity: Continuously monitor browser and network activity for signs of exploitation attempts targeting vulnerable versions. 

Conclusion: 
CVE-2025-5419 poses a significant security risk with confirmed active exploitation in the wild.

Google’s swift action highlights the urgency of this threat. All users are strongly advised to update their Chrome browsers immediately. Delaying this update could expose systems to compromise through malicious web content exploiting this zero-day vulnerability. 

While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the ‘Relaunch’ button to install it immediately.

References

Scroll to top