Security Advisory

Security Advisory

OpenCTI Web-Hook Flaw Enables Full System Compromise

Summary

OEMFiligran
SeverityCritical
CVSS Score9.1
CVEsCVE-2025-24977
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A critical vulnerability (CVE-2025-24977) in the OpenCTI Platform allows authenticated users with specific permissions to execute arbitrary commands on the host infrastructure, leading to potential full system compromise.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​ Webhook Remote Code Execution vulnerability  CVE-2025-24977OpenCTI  Critical  6.4.11

Technical Summary

The vulnerability resides in OpenCTI’s webhook templating system, which is built on JavaScript. Users with elevated privileges can inject malicious JavaScript into web-hook templates.

Although the platform implements a basic sandbox to prevent the use of external modules, this protection can be bypassed, allowing attackers to gain command execution within the host container.

Due to common deployment practices using Docker or Kubernetes, where environment variables are used to pass sensitive data (eg: credentials, tokens), exploitation of this flaw may expose critical secrets and permit root-level access, leading to full infrastructure takeover.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-24977  OpenCTI (≤ v6.4.10)The webhook feature allows JavaScript-based message customization. Users with manage customizations permission can craft malicious JavaScript in templates to bypass restrictions and execute OS-level commands. Since OpenCTI is often containerized, attackers can gain root access and extract sensitive environment variables passed to the container.  Root shell access in the container, exposure of sensitive secrets, full system compromise, lateral movement within infrastructure.

Remediation:

  • Upgrade: Immediately update to OpenCTI version 6.4.11 or later.
  • Restrict user permissions: Especially the manage customizations capability — limit access to trusted personnel only.
  • Review and audit: Existing webhook configurations for signs of misuse, unauthorized scripts, or suspicious behavior.
  • Implement container hardening practices: Reduce risk of secret exposure by:
    • Avoiding storage of secrets in environment variables when possible.
    • Using dedicated secret management tools.
    • Running containers with least privilege and limiting runtime capabilities.

The misuse can grant the attacker a root shell inside a container, exposing internal server-side secrets and potentially compromising the entire infrastructure.

Conclusion:
CVE-2025-24977 presents a highly exploitable attack vector within the OpenCTI platform and must be treated as an urgent priority for remediation.

The combination of remote code execution, privileged access and secret exposure in containerized environments makes it especially dangerous.

Organizations leveraging OpenCTI should upgrade to the latest version without delay, review their deployment security posture, and enforce strict access control around webhook customization capabilities.

References:

Security Advisory

Apache Parquet Java Vulnerability Enables Remote Code Execution via Avro Schema 

Summary Security Advisory:

A high-severity remote code execution (RCE) has been identified in Apache Parquet Java, specifically within the parquet-avro module. Discovered by Apache contributor Gang Wu, this vulnerability affects all versions up to and including 1.15.1 and can allow attackers to execute arbitrary code when a system processes a specially crafted Parquet file. The issue is fixed in version 1.15.2. 

OEM Apache 
Severity High 
CVSS Score Not Available 
CVEs CVE-2025-46762 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Remote Code Execution vulnerability  CVE-2025-46762 Apache Parquet Java  High  1.15.2 

Technical Summary 

CVE-2025-46762 arises from insecure schema parsing logic in the parquet-avro module of Apache Parquet Java. When the application uses the “specific” or “reflect” Avro data models to read a Parquet file, malicious actors can inject specially crafted metadata into the Avro schema portion of the file.

Upon deserialization, the system may inadvertently execute code from Java classes listed in the default trusted packages (e.g., java.util), resulting in remote code execution. The vulnerability is not present when using the safer “generic” Avro model. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-46762  Apache Parquet Java ≤1.15.1 Insecure deserialization in the parquet-avro module allows execution of arbitrary Java classes when processing Parquet files with embedded malicious Avro schemas. The issue is exploitable only when using the “specific” or “reflect” data models, and relies on the presence of pre-approved trusted packages like java.util.  Remote Code Execution (RCE), potential supply chain compromise, unauthorized code execution. 

Conditions for Exploitation: 

  • Applications must use parquet-avro to read Parquet files. 
  • The Avro “specific” or “reflect” deserialization models are used (not “generic”). 
  • Attacker-supplied or untrusted Parquet files are processed by the system. 

This creates significant risk in data processing environments such as Apache Spark, Flink, and Hadoop, where external Parquet files are commonly ingested. 

Remediation

  • Upgrade to Apache Parquet Java version 1.15.2: This version addresses the vulnerability by tightening controls around trusted packages and blocking unsafe deserialization. 
  • For users unable to upgrade immediately: apply the following JVM system property to disable trusted package deserialization: 

-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=”” 

Conclusion: 
CVE-2025-46762 presents a significant RCE threat within big data ecosystems that use Apache Parquet Java with the parquet-avro module. Systems relying on unsafe deserialization patterns are especially at risk. Prompt patching or configuration hardening is strongly recommended to safeguard against exploitation. 

References

Security Advisory

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit 

Summary of Security Advisory

A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)

OEM Tesla 
Severity High 
CVSS Score 7.5 
CVEs CVE-2025-2082 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This provides potentiality in giving access to critical vehicle controls; Tesla has addressed the issue in firmware version 2024.14. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Remote Code Execution vulnerability  CVE-2025-2082 Tesla Model 3   High  7.5 

Technical Summary 

The vulnerability lies in the VCSEC module, responsible for security functions like immobilization, door locking, and TPMS monitoring.

An integer overflow occurs when the VCSEC processes malformed certificate responses transmitted via the TPMS subsystem. Exploiting this flaw enables memory corruption, leading to remote code execution.

The attack does not require user interaction or authentication and can be carried out over adjacent wireless interfaces such as Bluetooth Low Energy (BLE) or Ultra-Wideband (UWB).

Once compromised, attackers may issue unauthorized commands to the Controller Area Network (CAN) bus, which governs safety-critical systems including braking, steering, and acceleration. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2082   Tesla Model 3 (pre-2024.14) Integer overflow in VCSEC module’s certificate handling logic triggered by malformed TPMS messages.  Remote code execution, unauthorized CAN bus access, potential control over critical systems 

Remediation

  • Update Tesla Firmware: Owners should update firmware version 2024.14 via the vehicle’s touchscreen or over-the-air (OTA) updates. 
  • Avoid Wireless Threats: Refrain from connecting to unknown BLE/UWB networks and using unauthorized TPMS accessories. 

Conclusion: 
This vulnerability demonstrates how auxiliary vehicle systems like TPMS can serve as entry points for serious security breaches. While Tesla’s prompt patch release, reflects good incident response, this case underscores the urgency for ongoing scrutiny of wireless automotive components. Owners must apply the firmware update and maintain secure update practices to reduce the risk of exploitation. 

References

Security Advisory

High-Severity Linux Kernel Flaw Exposes Systems to Root-Level Attacks

Security advisory: Linux Kernel Flaw raised from vulnerability related to improper memory handling when the splice() function is called. Specifically, the kTLS code fails to correctly update the internal accounting of the plaintext scatter-gather buffer, leading to an out-of-bounds memory write flaw. 

OEMLinux
SeverityHigh
CVSS Score7.8
CVEsCVE-2025-21756
POC AvailableYes
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A high-severity vulnerability (CVE-2025-21756) has been discovered in the Linux kernel’s Virtual Socket (vsock) implementation, allowing local privilege escalation to root via a use-after-free (UAF) condition caused by incorrect reference counting during socket binding operations.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
​ Use-After-Free vulnerability  CVE-2025-21756Linux kernel  High  7.8

Technical Summary

The kTLS subsystem in the Linux Kernel enables direct TLS encryption and authentication functions within the kernel, supporting secure communication for protocols like HTTPS, email, and other internet-connected applications.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-21756    Linux kernel (pre-6.6.79, 6.12.16, 6.13.4, and 6.14-rc1)Improper handling of reference counts in vsock_remove_sock() leads to premature freeing of vsock objects. Attackers can exploit the Use-After- Free (UAF) by reclaiming free memory using crafted pipe buffers and leveraging unprotected tools like vsock_diag_dump() to leak kernel pointers.      Local privilege escalation to root and potential full system compromise.

CVE-2025-21756 is a use-after-free vulnerability in the Linux kernel’s vsock subsystem. It arises due to incorrect reference counter management during transport reassignment of sockets, leading to memory corruption and potential privilege escalation.

Affected systems are particularly exposed in virtualized environments where vsock is actively used.

Remediation:

  • Update Linux Kernel: Users should update their systems immediately with the latest kernel versions
  • Restrict Local Access: Until patches are applied, limit vsock use in shared environments and restrict local access where feasible.
  • Monitor for Exploitation Attempts: Watch for anomalies related to the vsock subsystem, including unexpected kernel panics or vsock socket activity.
  • Review Security Module Configurations: While AppArmor and similar LSMs offer partial protection, ensure they are enabled and correctly configured.

Conclusion:
CVE-2025-21756 poses a significant threat to Linux systems, particularly in cloud and virtualized environments. Its discovery and detailed analysis by Michael Hoefler revealed not only a critical vulnerability but also advanced exploitation techniques capable of bypassing protections like AppArmor and KASLR.

Given the existence of public proof-of-concept code and reliable attack paths, organizations must prioritize patching and mitigation to avoid root-level compromise.

References:



Security Advisory

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

As per researchers hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. Regarding this urgent patch has been released by SAP to fix CVE-2025-31324, a zero-day vulnerability in SAP NetWeaver Visual Composer.

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

The vulnerability in SAP NetWeaver Visual Composer that may have allowed unauthenticated and unauthorized code execution in certain Java Servlets.

Several cybersecurity companies have reported active exploitation in the wild.

Summary 

OEM SAP 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-31324 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This vulnerability enables remote uploading and execution of malicious files by unauthenticated attackers, potentially compromising the entire system.

It is highly advised to implement patching or mitigation measures right away in order to guard against possible espionage, sabotage, data theft, and operational disruption. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Missing Authorization in Metadata Uploader  CVE-2025-31324 SAP  Critical  10.0 

Technical Summary 

The vulnerability stems from a missing authorization check in the Metadata Uploader component of SAP NetWeaver Visual Composer.

Attackers can exploit this by sending crafted unauthenticated POST requests to the development server/meta data uploader endpoint, allowing them to upload arbitrary JSP webshell files.

Once uploaded, attackers can interact with these shells via simple GET requests to execute arbitrary commands, resulting in remote code execution (RCE) with <sid>adm operating system privileges — effectively giving full control over SAP systems. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-31324  SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50) Missing authorization check at /developmentserver/metadatauploader enables unauthenticated malicious file uploads. Webshells planted can be used to execute OS-level commands, deploy additional malware, and move laterally across the network. Full system compromise including: 
– Remote Command Execution 
– Privilege Escalation 
– Data Exfiltration 
– Ransomware Deployment 
– Potential Espionage/Sabotage/Fraud 

Key Exploitation Details: 

  • Exploited Path: /developmentserver/metadatauploader 
  • Common Webshell Files: helper.jsp, cache.jsp, and others with randomized names. 
  • Post-Exploitation Tools: 
  • Brute Ratel: Used for C2 operations, credential theft, privilege escalation. 
  • Heaven’s Gate: 32-to-64 bit transition technique for evading endpoint detection. 

Risk Factors: 

  • Systems where Visual Composer is enabled (even though it is not enabled by default). 
  • Systems exposed to the internet. 
  • Systems without custom security measures protecting the Metadata Uploader endpoint. 

Remediation

  • Apply SAP Patch: Updated the patches released by SAP without waiting for routine patch cycles. 
  • Restrict Access: Block external access to the /development server/metadata uploader endpoint via firewall or reverse proxy rules. 
  • Disable Visual Composer: If Visual Composer is not critical to business operations, disable it to remove the attack surface. 

Recommendations: 

  • Conduct Threat Hunting: 

Scan for suspicious JSP files (e.g., helper.jsp, cache.jsp) in these directories: 

  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync 
  • Monitoring and SIEM: Forward logs from the NetWeaver server to SIEM tools and monitor for unauthorized file upload activity. 
  • Utilize Open-Source Tools: Use scanners (such as those released by Onapsis) to check system vulnerability. 

Conclusion: 
Given the criticality and active exploitation of CVE-2025-31324, organizations running SAP NetWeaver Visual Composer should prioritize patching and mitigation efforts. The potential for full system compromise, ransomware attacks, and data exfiltration represents a severe business risk. Immediate action is strongly advised to secure SAP environments and prevent exploitation. 

References

Security Advisory

Windows Update Stack Privilege Escalation Vulnerability (CVE-2025-21204) – PoC Released  

The flaw, disclosed by researchers at Cyberdom Blog, poses a significant risk to millions of Windows users and organizations relying on windows.

OEM Windows 
Severity HIGH 
CVSS Score 7.8 
CVEs CVE-2025-21204 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A high-severity vulnerability in the Windows Update Stack, CVE-2025-21204, enables local attackers to escalate privileges to SYSTEM level by exploiting trusted path abuse through symbolic links. The flaw affects various versions of Windows 10, Windows 11, and Windows Server.

A working proof-of-concept (PoC) exploit has been publicly released by security researcher Elli Shlomo, increasing the urgency to patch. The issue is addressed in the April 2025 cumulative update KB5055523. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Windows Update Stack Privilege Escalation  CVE-2025-21204 Windows  HIGH  7.8 

Technical Summary 

The vulnerability lies in how Windows Update processes such as MoUsoCoreWorker.exe and UsoClient.exe, which run with SYSTEM privileges, handle directory junctions. Attackers can delete the legitimate Tasks directory under C:\ProgramData\Microsoft\UpdateStack and replace it with a symbolic link pointing to an attacker-controlled path. This allows the execution of arbitrary code as SYSTEM without triggering traditional security mechanisms.

A public PoC developed by Elli Shlomo demonstrates this exploit using only native Windows features—no external binaries or code injection required. 

This opens the door for a range of attacks, including installing persistent malware, disabling security tools, or accessing sensitive data.

CVE ID System Affected Vulnerability Details Exploit Prerequisites Impact 
  CVE-2025-21204  Windows 10 (10.0.10240.0 < 10.0.10240.20978, etc.), Windows 11, Server Misuse of NTFS junctions allows local attackers to redirect C:\ProgramData\Microsoft\UpdateStack\Tasks to attacker-controlled locations. SYSTEM-level update processes follow these junctions and execute unauthorized code. Attackers must have local access and limited user privileges; no user interaction required   Local privilege escalation, Code execution 

Source: Cyberdom 

Recommendations

  • Apply the April 2025 cumulative update (KB5055523) immediately. 
  • Restrict ACLs on C:\ProgramData\Microsoft\UpdateStack. 
  • Use AppLocker or WDAC to block symbolic link creation in sensitive directories. 
  • Monitor file operations involving UpdateStack and inetpub, regardless of IIS presence. 
  • Detect attempts to create NTFS junctions targeting update directories. 

Conclusion: 
CVE-2025-21204 is an example of a rather low-level and impactful threat doing trusted path abuse rather than complex memory corruption. This vulnerability demonstrates how attackers will exploit trust assumptions built into the operating system via native components.

The only defenses available are to immediately patch and harden directory access controls to stop this low-level and minimally visible localized privilege escalation. 

References


 

Security Advisory

Windows 11 DLL Flaws Open Doors to Privilege Escalation! 

Summary 

Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.

DLL hijacking is a technique that exploits how Windows applications load DLLs.

OEM Windows 
Severity HIGH 
CVSS Score 7.3 
CVEs CVE-2025-24994, CVE-2025-24076 
No. of Vulnerabilities Patched 02 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Windows Cross Device Service Elevation of Privilege Vulnerability  CVE-2025-24076 Windows  HIGH  7.3 
​Windows Cross Device Service Elevation of Privilege Vulnerability CVE-2025-24994 Windows HIGH 7.3 

Technical Summary 

The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24076  Windows 11 Version 22H2, 22H3, 23H2, 24H2.  Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window.   Allows SYSTEM-level privilege escalation 
CVE-2025-24994 Windows 11 Version 22H2, 22H3, 23H2, 24H2 Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable.  Allows user-to-user privilege escalation 

Remediation

  • Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems. 
  • Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities. 
  • Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes. 
  • Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges. 
  • Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files. 

Conclusion: 
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.

The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.  

While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.

This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.

References


 

Security Advisory

Critical Session Management Vulnerability in Apache Roller 

Summary Security Advisory

Apache Roller, a widely used Java-based blogging platform, enabling users to create, manage, and publish blog content. It supports features like user authentication, content management, and customizable themes.

OEM Apache 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-24859 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

A critical security vulnerability (CVE-2025-24859) has been discovered in Apache Roller (versions 1.0.0 to 6.1.4), where old sessions are not invalidated after a password change, allowing attackers to maintain unauthorized access if they have stolen a session token. This flaw poses a significant risk of session hijacking and unauthorized access, and users are advised to upgrade to version 6.1.5 to mitigate the issue. 

Vulnerability Name CVE ID Product Affected Severity 
Insufficient Session Expiration on Password Change CVE-2025-24859 Apache Roller Critical 

Technical Summary 

The vulnerability centers on insufficient session expiration.

When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions.

As a result, any session tokens  before the password change remain valid.

This means that if an attacker has already compromised a user’s credentials and established a session, they can continue to access the application even after the password is updated, effectively bypassing a key security control.

This can be a big security threat, particularly in systems used by many users or administrators, where it’s important to keep sessions secure. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-24859  Apache Roller 1.0.0 – 6.1.4 Sessions are not invalidated after password change, allowing persistent access through old sessions if compromised.  Unauthorized Access /  Session Hijacking 

Remediation

  • Apply Patches Promptly: Upgrade immediately to Apache Roller version 6.1.5, which implements proper centralized session invalidation. 

Conclusion: 

CVE-2025-24859 represents a critical access control threat to Apache Roller implementations.

Although no active exploitation has been observed still now, it’s easy for attackers to misuse sessions if they gain access. Its important for organizations using Apache Roller to quickly update to version 6.1.5 to fix this problem. 

This is a critical step in maintaining the security of blog sites and protecting user data.

CVE-2025-24859 highlights the importance of robust session management in web applications.

References

Security Advisory

Dell Releases Patches for Multiple PowerScale OneFS Security Vulnerabilities 

Summary 

Dell Technologies Security Advisory

OEM Dell 
Severity Critical 
CVSS 9.8 
CVEs CVE-2025-27690, CVE-2025- 26330, CVE-2025-22471 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

​Dell Technologies has released security updates addressing multiple vulnerabilities of varying severity in its PowerScale OneFS operating system.

These vulnerabilities could be exploited by attackers to gain control of high-privilege accounts, bypass security mechanisms, or disrupt system functionality. Dell has issued patches for several of these issues, a summary of some key vulnerabilities is provided in the table below. 

Vulnerability Name CVE ID Product Affected Severity 
Default Password Vulnerability CVE-2025-27690 PowerScale OneFS   Critical 
Incorrect Authorization Vulnerability CVE-2025-26330 PowerScale OneFS   High 
Integer Overflow or Wraparound Vulnerability CVE-2025-22471 PowerScale OneFS  Medium 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact Affected Version 
CVE-2025-27690 PowerScale OneFS Dell PowerScale OneFS multiple versions contain a default password vulnerability where an unauthenticated remote attacker could potentially exploit this vulnerability, leading to the privilege escalation. Gain Privileges or Assume Identity  Versions 9.5.0.0 through 9.10.1.0 
CVE-2025-26330 PowerScale OneFS Dell PowerScale OneFS multiple versions contain an incorrect authorization vulnerability where unauthenticated local attacker could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account. Unauthorized Access Versions 9.4.0.0 through 9.10.0.1 
CVE-2025-22471 PowerScale OneFS Dell PowerScale OneFS multiple versions contain an integer overflow or wraparound vulnerability where an unauthenticated remote attacker exploits this which leads to denial of service. Service unavailable Versions 9.4.0.0 through 9.10.0.1 

Remediation

It has been recommended to upgrade to the following versions to address the security risks 

OneFS Version Updated Version 
9.10.x.x 9.10.1.1 
9.9.x.x 9.9.0.2 
9.8.x.x 9.8.0.3 
9.7.x.x 9.7.1.7 
9.5.x.x 9.5.1.3 

Workaround for CVE-2025-27690 

It’s always recommended to update to the latest version. If you’re unable to upgrade immediately, you can follow the workarounds provided by the vendor from here

References: 

Security Advisory

Critical Flaw in FortiSwitch of Fortinet Allows Attackers to Change Admin Password

An unverified password change vulnerability [CWE-620] in FortiSwitch GUI discovered.

This may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request as per Fortinet advisory released.

Summary

OEMFortinet 
SeverityCRITICAL
CVSS Score9.8
CVEsCVE-2024-48887
Actively ExploitedYes
Exploited in WildYes
Advisory Version1.0

Overview

Fortinet’s FortiSwitch product line has revealed a significant vulnerability noted as CVE-2024-48887. This flaw allows unauthenticated remote attackers to change administrative passwords by sending specially crafted requests to the device’s password management endpoint. With a CVSS score of 9.8, the vulnerability is classified as Critical and is actively being exploited in the wild.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
A unverified password change vulnerability  CVE-2024-48887Fortinet   CRITICAL  9.8

Technical Summary

A critical vulnerability (CVE-2024-48887) has been identified in Fortinet FortiSwitch devices, affecting versions 6.4.0 through 7.6.0. This flaw resides in the web-based management interface and allows remote, unauthenticated attackers to change administrator passwords by sending a specially crafted HTTP request to the set_password endpoint.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2024-48887  FortiSwitch v7.6, 7.4, 7.2, 7.0, 6.4CVE-2024-48887 is an unauthenticated password change vulnerability in FortiSwitch web GUI.
It enables remote unauthenticated attackers to modify admin passwords through crafted requests to the set_password endpoint.		    Unverified Password Change

Remediation:

  • Apply Security Patches: Install the latest security update for your FortiSwitch version. Fortinet has fixed the issue in 6.4.15 and above,7.0.11 and above,7.2.9 and above,7.4.5 and above,7.6.1 and above versions.

General Recommendations

  • Update Devices Regularly always install the latest firmware and security patches from Fortinet to fix known vulnerabilities.
  • Limit access to the FortiSwitch web GUI to trusted IP addresses and disable HTTP/HTTPS access if it is not required.
  • Set strong and unique passwords and change them regularly to prevent unauthorized access.
  • Monitor unusual Activity for suspicious logins or configuration changes.

Conclusion:


The CVE-2024-48887 vulnerability poses a serious security risk to organizations using affected FortiSwitch devices. Its ease of exploitation and the lack of authentication required make it particularly dangerous.

Organizations must act immediately by applying the relevant security patches, limiting administrative access, and monitoring for unusual activity.

References:

Scroll to top