Privilege escalation

Security Advisory

Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance

Summary: A high-severity use-after-free vulnerability (CVE-2025-37899) has been discovered in the ksmbd component of the Linux kernel, which implements the SMB3 protocol for file sharing.

OEMLinux
SeverityHigh
CVSS ScoreN/A
CVEsCVE-2025-37899
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The vulnerability, confirmed on May 20, 2025 which was uncovered through AI-assisted code analysis using OpenAI’s o3 model. It affects multiple versions of the Linux kernel and may lead to arbitrary code execution with kernel privileges. As of now, no official fix is available, but Linux distributions including SUSE team are actively working on patches.

Vulnerability NameCVE IDProduct AffectedSeverity
​ksmbd use-after-free vulnerability  CVE-2025-37899Linux kernel  High

Technical Summary

The vulnerability lies in the ksmbd kernel server component responsible for SMB3 protocol handling.

A use-after-free bug occurs when one thread processes a logoff command and frees the sess->user object, while another thread bound to the same session attempts to access the same object simultaneously. This results in a race condition that can lead to memory corruption and potentially enable attackers to execute arbitrary code with kernel privileges.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-37899  Linux kernel (ksmbd)A race condition during handling of SMB2 LOGOFF commands. sess->user is freed in one thread while still being accessed in another, leading to a classic use-after-free vulnerability. The absence of synchronization around sess->user allows attackers to exploit the freed memory during concurrent SMB operations.  Kernel memory corruption, privilege escalation, remote code execution

Remediation:

  • Fix status: As of now, an official fix has not been released. Linux distributions, including SUSE, are actively developing and testing patches.

General Recommendations

  • Monitor your distribution’s security advisories and apply patches as soon as they are available.
  • Consider disabling or restricting ksmbd (in-kernel SMB3 server) if not explicitly required.
  • Use firewall rules to restrict access to SMB services to trusted networks.
  • Employ kernel hardening options (e.g. memory protections, SELinux/AppArmor policies).
  • Audit SMB traffic for signs of abnormal session setup and teardown behavior.

Conclusion:
CVE-2025-37899 highlights the increasing role of AI in modern vulnerability discovery and the complex nature of concurrency bugs in kernel components. While no fix is yet available, administrators should apply defense-in-depth strategies and watch for updates from their Linux vendors.

The discovery underscores the importance of rigorous code audits, especially in components exposed to network traffic and multithreaded processing.

References:

Security Advisory

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

Summary: Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (UIC).

The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition.

OEMCISCO
SeverityHIGH
CVSS Score8.6
CVEsCVE-2025-20152, CVE-2025-20113, CVE-2025-20114
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

This include a critical denial-of-service (DoS) vulnerability in the RADIUS protocol processing (CVE-2025-20152) and two privilege escalation flaws (CVE-2025-20113, CVE-2025-20114).

These unpatched issues, could result in network disruption and unauthorized access to sensitive data.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​RADIUS DoS Vulnerability  CVE-2025-20152Cisco Identity Services Engine  High  ISE 3.4 Patch 1 (3.4P1)
Privilege Escalation Vulnerability  CVE-2025-20113Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04
Privilege Escalation Vulnerability  CVE-2025-20114Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04

Technical Summary

The vulnerabilities identified in ISE and UIC products are critical and the allow an authenticated attacker to elevate their privileges to those of an administrator, for a limited set of functions on a vulnerable system by potentially accessing or manipulating unauthorized data.

Medium-severity bugs were also resolved in Webex, Webex Meetings, Secure Network Analytics Manager, Secure Network Analytics Virtual Manager, ISE, Duo, Unified Communications and Contact Center Solutions, and Unified Contact Center Enterprise (CCE).

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-20152  CISCO ISE 3.4Improper handling of malformed RADIUS authentication requests can cause a system reload.    Denial of Service (DoS), Network Disruption
      CVE-2025-20113 Unified Intelligence Center  12.5, 12.6Insufficient server-side validation in API/HTTP requests may allow an authenticated attacker to escalate privileges to Admin level for certain functions.    Privilege Escalation, Unauthorized Data Access
    CVE-2025-20114Unified Intelligence Center  12.5, 12.6Insufficient input validation in API allows IDOR attacks, enabling attackers to access data of other users.    Horizontal Privilege Escalation, Data Exposure

Remediation:

Cisco has released security updates to address these vulnerabilities:

  • For CVE-2025-20152 (Cisco ISE):

Upgrade to ISE 3.4P1 or later. No workarounds exist; RADIUS services are enabled by default, making immediate patching critical.

  • For CVE-2025-20113 and CVE-2025-20114 (UIC):

Upgrade to:

  • UIC 12.5(1)SU ES04 or later.
    • UIC 12.6(2)ES04 or later.
    • Unified CCX users should migrate to a fixed release if using affected versions.

Administrators are advised to verify product versions and apply patches through official Cisco channels.

Conclusion:
These vulnerabilities pose significant security risks especially CVE-2025-20152, which affects the core authentication protocol in many Cisco ISE deployments.

Organizations should prioritize updates to mitigate risks of denial-of-service attacks and unauthorized data access. No exploitation in the wild has been observed so far, but given the critical nature, immediate action is strongly recommended.

References:

Security Advisory

Critical Privilege Escalation Vulnerability in Motors WordPress Theme

Summary: A critical privilege escalation vulnerability (CVE-2025-4322) has been identified in the Motors WordPress theme, a widely used premium theme tailored for car dealerships, rentals, and vehicle listings.

OEMWordPress
SeverityCritical
CVSS Score9.8
CVEsCVE-2025-4322
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview This vulnerability affects versions up to 5.6.67 and could allow unauthenticated attackers to reset passwords for any user, including administrators, leading to complete site compromise. The issue has been addressed in version 5.6.68, and immediate patching is strongly recommended.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​Privilege Escalation via Password Reset Bypass  CVE-2025-4322Motors WordPress Theme  Critical  5.6.68

Technical Summary

The vulnerability arises from insufficient input validation in the Login Register widget of the Motors theme, specifically within the password-recovery.php template. An attacker can manipulate the hash_check parameter using an invalid UTF-8 character, which is improperly sanitized by the esc_attr() function. This allows the attacker to bypass password reset validations and change passwords without authorization, even for administrator accounts.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-4322  Motors WordPress Theme (<= 5.6.67)The password-recovery.php file fails to properly validate whether the stm_lost_password_hash exists and is correct. If the hash is empty (e.g. – no reset was requested), an attacker can bypass the check using an invalid UTF-8 character. The esc_attr() sanitization strips the invalid character after validation, resulting in a successful hash match and unauthorized password update.  Complete site compromise.

Remediation:

  • Immediately update: To mitigate the vulnerability, users of the Motors WordPress theme should immediately update to version 5.6.68 or later.

Conclusion:
CVE-2025-4322 is a critical privilege escalation vulnerability affecting over 22,000+ WordPress sites using the Motors theme.

Exploiting this flaw, unauthenticated attackers can reset administrator passwords and gain full control of vulnerable sites. The vulnerability was responsibly disclosed and swiftly addressed by the vendor, with a patched version (5.6.68) released.

Given the ease of exploitation and potential for full site compromise, users are strongly advised to update immediately.

Organizations relying on the Motors theme should also implement multi-layered security practices, such as web application firewalls, routine patching, and access monitoring, to safeguard their digital assets against similar threats in the future.

References:

Security Advisory

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

As per researchers hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. Regarding this urgent patch has been released by SAP to fix CVE-2025-31324, a zero-day vulnerability in SAP NetWeaver Visual Composer.

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

The vulnerability in SAP NetWeaver Visual Composer that may have allowed unauthenticated and unauthorized code execution in certain Java Servlets.

Several cybersecurity companies have reported active exploitation in the wild.

Summary 

OEM SAP 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-31324 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This vulnerability enables remote uploading and execution of malicious files by unauthenticated attackers, potentially compromising the entire system.

It is highly advised to implement patching or mitigation measures right away in order to guard against possible espionage, sabotage, data theft, and operational disruption. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Missing Authorization in Metadata Uploader  CVE-2025-31324 SAP  Critical  10.0 

Technical Summary 

The vulnerability stems from a missing authorization check in the Metadata Uploader component of SAP NetWeaver Visual Composer.

Attackers can exploit this by sending crafted unauthenticated POST requests to the development server/meta data uploader endpoint, allowing them to upload arbitrary JSP webshell files.

Once uploaded, attackers can interact with these shells via simple GET requests to execute arbitrary commands, resulting in remote code execution (RCE) with <sid>adm operating system privileges — effectively giving full control over SAP systems. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-31324  SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50) Missing authorization check at /developmentserver/metadatauploader enables unauthenticated malicious file uploads. Webshells planted can be used to execute OS-level commands, deploy additional malware, and move laterally across the network. Full system compromise including: 
– Remote Command Execution 
– Privilege Escalation 
– Data Exfiltration 
– Ransomware Deployment 
– Potential Espionage/Sabotage/Fraud 

Key Exploitation Details: 

  • Exploited Path: /developmentserver/metadatauploader 
  • Common Webshell Files: helper.jsp, cache.jsp, and others with randomized names. 
  • Post-Exploitation Tools: 
  • Brute Ratel: Used for C2 operations, credential theft, privilege escalation. 
  • Heaven’s Gate: 32-to-64 bit transition technique for evading endpoint detection. 

Risk Factors: 

  • Systems where Visual Composer is enabled (even though it is not enabled by default). 
  • Systems exposed to the internet. 
  • Systems without custom security measures protecting the Metadata Uploader endpoint. 

Remediation

  • Apply SAP Patch: Updated the patches released by SAP without waiting for routine patch cycles. 
  • Restrict Access: Block external access to the /development server/metadata uploader endpoint via firewall or reverse proxy rules. 
  • Disable Visual Composer: If Visual Composer is not critical to business operations, disable it to remove the attack surface. 

Recommendations: 

  • Conduct Threat Hunting: 

Scan for suspicious JSP files (e.g., helper.jsp, cache.jsp) in these directories: 

  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync 
  • Monitoring and SIEM: Forward logs from the NetWeaver server to SIEM tools and monitor for unauthorized file upload activity. 
  • Utilize Open-Source Tools: Use scanners (such as those released by Onapsis) to check system vulnerability. 

Conclusion: 
Given the criticality and active exploitation of CVE-2025-31324, organizations running SAP NetWeaver Visual Composer should prioritize patching and mitigation efforts. The potential for full system compromise, ransomware attacks, and data exfiltration represents a severe business risk. Immediate action is strongly advised to secure SAP environments and prevent exploitation. 

References

Security Advisory

April Zero-Day Threats Addressed in Microsoft’s Patch Tuesday

Summary of Microsoft April Patch Tuesday

Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.

  • 126 Microsoft CVEs addressed
  • 9 non-Microsoft CVEs included

Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts

OEMMicrosoft
SeverityCritical
Date of Announcement2025-04-08
No. of Vulnerabilities Patched135
Actively ExploitedYes
Exploited in WildYes
Advisory Version1.0

Overview

Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.

The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.

On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability]  CVE-2025-29824WindowsHigh7.8
Remote Desktop Gateway Service RCE VulnerabilityCVE-2025-27480 CVE-2025-27482WindowsHigh8.1
LDAP Service RCE VulnerabilityCVE-2025-26663WindowsHigh   8.1
LDAP Client RCE VulnerabilityCVE-2025-26670WindowsHigh8.1

Technical Summary

The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-29824  Windows 10/11, Windows ServerAn elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges.    Elevation of Privilege
  CVE-2025-27480 CVE-2025-27482  Windows RDSRace condition in Remote Desktop Gateway; triggers use-after-free allowing code execution  Remote Code Execution
  CVE-2025-26663  Windows LDAPCrafted LDAP call causes use-after-free, leading to arbitrary code execution  Remote Code Execution
CVE-2025-26670  Windows TCP/IPMemory mismanagement during DHCPv6 handling, complex exploit chain.  Remote Code Execution

Source: Microsoft & NVD

In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:

  • CVE-2025-27745, CVE-2025-27748, CVE-2025-27749 – Office Use-After-Free RCE Vulnerability

These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.

  • CVE-2025-27752 – Excel Heap Overflow RCE Vulnerability

An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.

  • CVE-2025-29791 – Excel Type Confusion RCE Vulnerability

This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.

  • CVE-2025-26686 – Windows TCP/IP RCE Vulnerability

Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.

  • CVE-2025-27491 – Windows Hyper-V RCE Vulnerability

This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.

Remediation:

  • Apply Patches Promptly: Install the April 2025 security updates immediately to mitigate risks.

General Recommendations:

  • Prioritize Zero-Day & Critical Vulnerabilities: Focus on patching actively exploited vulnerabilities, especially those affecting Windows CLFS, RDS, LDAP, Excel, and SharePoint-related CVEs.
  • Secure File System Access: Implement security controls to prevent unauthorized access to NTFS and FAT file systems, particularly against USB-based attack vectors.
  • Educate Employees: Train users in phishing risks to reduce the chances of executing malicious Microsoft Access files.
  • Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.

“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.

Conclusion:

The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.

Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.

IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.

References:

Security Advisory

PoC Released for High-Severity Linux Kernel UVC Driver Vulnerability

OEMLinux
SeverityHIGH
CVSS7.8
CVEsCVE-2024-53104
Actively ExploitedYes
Publicly POC AvailableYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

CVE-2024-53104 is a high-severity out-of-bounds write vulnerability in the Linux kernel’s USB Video Class (UVC) driver, leading to privilege escalation. The issue affects Linux kernel versions 2.6.26 and later. The vulnerability has gained renewed attention as a proof-of-concept (PoC) exploit has now been publicly released, increasing the risk of exploitation. A patch has been released to address this vulnerability, but unpatched systems remain at high risk.

Vulnerability NameCVE IDProduct AffectedSeverity
  out-of-bounds write vulnerability  CVE-2024-53104  Linux Kernel    High

Technical Summary

The vulnerability exists in the uvc_parse_format function of the UVC driver (uvc_driver.c). It arises due to improper parsing of UVC_VS_UNDEFINED frames, leading to incorrect buffer allocation and out-of-bounds writes.

An attacker could exploit this flaw by inserting a malicious USB device or manipulating video streams, potentially leading to memory corruption, privilege escalation, or arbitrary code execution.

CVE IDSystem AffectedVulnerability DetailsImpact
  CVE-2024-53104    Linux Kernel (2.6.26 and later)  Incorrect parsing of UVC_VS_UNDEFINED frames in uvc_parse_format, leading to miscalculated buffer sizes and memory corruption.    Privilege escalation, system instability, arbitrary code execution  

Remediation:

  • Apply Security Patches: Ensure that the latest security patches provided by the Linux distribution maintainers are promptly applied to mitigate vulnerability.

Recommendations

  • Implement USB Device Control Policies: Organizations should establish and enforce USB device control policies to prevent unauthorized usage and ensure only approved devices can be connected.
  • Deploy Log Monitoring and Analysis Tools: Implement security monitoring tools to continuously monitor logs for potential security incidents, such as exploitation attempts or suspicious activity.

Conclusion:

CVE-2024-53104 is a major vulnerability that poses a substantial risk to Linux systems since it allows for privilege escalation and arbitrary code execution. Users and administrators are strongly urged to apply the latest security patches to mitigate the risk of exploitation. Additionally, implementing a multi-layered security approach can further enhance system protection.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) list, emphasizing the need for immediate remediation.

CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks.

References:

Security Advisory

Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately 

Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.

Continue Reading
Security Advisory

Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild

Summary

OEM

Microsoft

Severity

Critical

CVSS Score

7.8

CVE

CVE-2024-49138

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Publicly POC Available

Yes


Overview

The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.

Vulnerability Name

CVE ID

Product Affected

Severity

CLFS Privilege Escalation

CVE-2024-49138

Microsoft Windows

High

Technical Summary

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49138

Windows 10, Windows 11, Windows Server 2008–2025

Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released.

Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device.

Remediations

  1. Update Systems: Apply Microsoft’s December 2024 patches without delay.
  2. Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
  3. Limit Access: Implement robust access controls and harden systems.

Conclusion:

The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.

References

Scroll to top