Privilege escalation

Security Advisory

Elastic Releases Critical Security Updates for Kibana & Elasticsearch 

Security Advisory:

Elastic has released security updates for Kibana and Elasticsearch.

Addressed 5 vulnerabilities, including 3 high-severity Cross-Site Scripting (XSS) issues

This also include one sensitive data exposure flaw, and one credential leakage issue

OEM Elastic 
Severity High 
CVSS Score 8.7 
CVEs CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The most severe, CVE-2025-25009 (CVSS 8.7), affects Kibana’s case file upload functionality, potentially allowing attackers to execute arbitrary scripts. These vulnerabilities could allow data theft, session hijacking or privilege escalation in affected environments. Users & Administrators strongly advise to update to the patched versions immediately to mitigate risks. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Stored XSS Vulnerability via Case File Upload Vulnerability CVE-2025-25009 Kibana  High  v8.18.8, v8.19.5, v9.0.8, v9.1.5 
Kibana Cross Site Scripting (XSS) Vulnerability CVE-2025-25017 Kibana High 
Kibana Stored Cross Site Scripting (XSS) Vulnerability CVE-2025-25018 Kibana High 

Technical Summary 

Elastic’s latest security patches fix several vulnerabilities in Kibana and Elasticsearch. These vulnerabilities could let attackers inject malicious code or gain access to sensitive information.

This could result in stolen data, taken-over user sessions, or even gaining higher access levels in the system. Although no active exploits have been reported, users are strongly advised to update immediately for protection to ensure optimal security and stability . 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-25009 Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) Stored XSS via malicious file uploads in case management, allowing JavaScript injection Data Theft,  Session Hijacking,  Privilege Escalation 
CVE-2025-25017 Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.3, 9.0.x ≤ 9.0.6, 9.1.x ≤ 9.1.3) XSS in Vega visualization engine due to improper neutralization of inputs, enabling script execution Malicious Script Execution 
CVE-2025-25018 Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) Stored XSS in Kibana due to improper validation of specified type of input.  Session Compromise, Unauthorized Access 

Other Vulnerabilities 

In addition to the three high-severity flaws, Elastic patched 2 other vulnerabilities in the same Security Announcements release. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Sensitive Data Exposure in Audit Logging CVE-2025- 37727 Elasticsearch Medium v8.18.8, v8.19.5, v9.0.8, v9.1.5 
Credential Leakage in CrowdStrike Connector CVE-2025- 37728 Kibana (CrowdStrike Connector) Medium v8.18.8 and higher 

Recommendations

Update Kibana and Elasticsearch immediately to the following versions 

  • Kibana/Elasticsearch: v8.18.8, v8.19.5, v9.0.8, v9.1.5 or the latest version. 

If unable to update immediately you can follow some workarounds below 

  • For the CVE-2025-25009, For versions >= 7.12 to < 9.0 users can set “discover:searchFieldsFromSource: true” in Advanced Settings and there are no workarounds for 9.0+. 
  • For the CVE-2025-25017, users can disable Vega visualizations but note that this will disable all Vega charts in Kibana. 
  • For the CVE-2025-37727, users can set “xpack.security.audit.logfile.events.emit_request_body” to “false”. 

Conclusion: 
The Elastic security update addresses severe vulnerabilities in Kibana and Elasticsearch, including high-severity XSS issues that could enable attackers to compromise dashboards, steal data, or escalate privileges.

Although no exploitation has been reported but these vulnerabilities need immediate patching. Immediate action is essential to maintain system integrity and protect sensitive data in monitoring and logging environments. 

References

Security Advisory

Vulnerability in Spring Cloud Gateway Server WebFlux Discovered; Target of Ease by Attackers

Security Advisory: CVE-2025-41243, A critical vulnerability has been disclosed in Spring Cloud Gateway Server WebFlux. This vulnerability allows attackers to modify sensitive Spring Environment properties under specific configurations.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-41243 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability has been assigned the maximum CVSS score of 10.0. It arises when actuator endpoints are exposed without proper security controls, potentially allowing attackers to compromise application behavior. Organizations and users of affected versions are strongly urged to upgrade to the fixed releases. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Expression Language Property Modification  CVE-2025-41243  Spring Cloud Gateway WebFlux  Critical   v4.3.1,  
v4.2.5, v4.1.11, v3.1.11  

Technical Summary 

CVE-2025-41243 is a critical vulnerability occurs when the Spring Boot actuator is included as a dependency and the gateway actuator endpoint is explicitly exposed via the “management.endpoints.web.exposure.include=gateway” configuration.

In such cases, if actuator endpoints are unsecured or exposed to public networks, an attacker could exploit them to modify Spring Environment properties at runtime. This could cause unauthorized access, configuration tampering, and potential application compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41243    4.3.0 – 4.3.x 4.2.0 – 4.2.x 4.1.0 – 4.1.x 4.0.0 – 4.0.x 3.1.0 – 3.1.x Older, unsupported versions   Improperly secured actuator endpoints in Spring Cloud Gateway WebFlux allow unauthorized modification of Spring Environment properties. Unauthorized access potential privilege escalation 

Remediation – 

Upgrade Immediately patch to fixed versions: 

Affected Version Range Upgrade To 
4.3.x 4.3.1 
4.2.x 4.2.5 
4.1.x and 4.0.x 4.1.11 
3.1.x 3.1.11 
Unsupported versions Migrate to a supported release 

If you are unable to upgrade right now, here are the recommendations below 

  • Remove gateway from the “management.endpoints.web.exposure.include” property or secure the actuator endpoints. 
  • Secure actuator endpoints with proper authentication and access controls. 
  • Regularly audit and harden application configuration files. 
  • Monitor application and network logs for suspicious activity or unauthorized access attempts. 
  • Implement firewall rules or reverse proxies to restrict access to sensitive endpoints. 
  • Ensure all systems follow patch management and update policies. 

Conclusion 
CVE-2025-41243 is a critical vulnerability affecting Spring Cloud Gateway WebFlux, allowing remote attackers to modify environment properties when actuator endpoints are misconfigured and exposed.

While no active exploitation has been observed in the wild, vulnerability poses a high risk to application integrity and security due to its CVSS score of 10.0 and ease of exploitation in exposed systems.

Organizations are strongly advised to upgrade to the fixed versions, secure actuator endpoints, and follow best practices to reduce attack surface and prevent future exploitation. 

References 

Security Advisory

MediaTek Patches Critical Modem Vulnerabilities  

Security Advisory: MediaTek disclosed critical vulnerabilities along with remediation for its modem and system components. Since the vulnerabilities affected thousands of devices, amounting to both multiple high- and medium vulnerabilities that affected, 60 chipsets used in smartphones, routers and IoT devices.

OEM MediaTek 
Severity High 
CVSS Score 8.3 (NOA) 
CVEs CVE-2025-20708, CVE-2025-20703, CVE-2025-20704, CVE-2025-20705, CVE-2025-20706, CVE-2025-20707 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

MediaTek issued a critical security update in September 2025 and key issues include modem-related flaws such as remote code execution, denial of service via rogue base stations and local privilege escalation.

Other vulnerabilities include WLAN buffer overflows, bootloader logic flaws and keymaster information leaks impacting Android devices and OpenWRT/Yocto platforms. There has been no active exploitation noticed and MediaTek began distributing patches to OEMs from July 2025 and urges immediate firmware updates to mitigate the issues. 

                Vulnerability Name CVE ID Product Affected Severity 
​Out-of-bounds write in Modem  CVE-2025-20708 Affected chipsets – 60 chipsets 
Modem NR15,16,17,17R software versions. 		 High 
Out-of-bounds read in Modem CVE-2025-20703 Affected chipsets – 57 chipsets 
Modem NR15,16,17,17R software versions. 		High 
Out-of-bounds write in Modem CVE-2025-20704 Affected chipsets – 14 chipsets 
Modem NR17,17R software versions. 		High 
Use after free in monitor_hang CVE-2025-20705 Affected chipsets – 39 chipsets 
Android 13 – 16,   openWRT 19.07, 21.02 / Yocto 2.6 software versions. 		Medium 
Use after free in mbrain CVE-2025-20706 Affected chipsets – 5 chipsets 
Android 14 – 15 software versions. 		Medium 
Use after free in geniezone CVE-2025-20707 Affected chipsets – 60 chipsets 
Android 13 – 15 software versions. 		Medium 

Technical Summary 

These vulnerabilities primarily include out-of-bounds read and write errors (CWE-125, CWE-787) and use-after-free issues (CWE-416), resulting from improper bounds checking and memory management flaws. 

An attacker controlling a rogue base station can exploit these flaws remotely without requiring user interaction, potentially causing remote denial of service, unauthorized privilege escalation, or local privilege escalation if system privileges are already obtained. The exploitation of these vulnerabilities could compromise device stability, security and confidentiality by corrupting memory or executing arbitrary code. Affected devices use modem firmware versions NR15 through NR17R, and a wide spectrum of chipsets, highlighting the broad attack surface. 

CVE ID Vulnerability Details Impact 
CVE-2025-20708 An out-of-bounds write flaw exists in the Modem due to incorrect bounds checking. This vulnerability allows remote escalation of privilege when a UE connects to a rogue base station, without requiring additional execution privileges or user interaction. Unauthorized access, data interception, disruption of cellular services 
CVE-2025-20703 The Modem is affected by an out-of-bounds read issue caused by improper bounds validation. This can result in remote denial of service if connected to a malicious base station, and exploitation requires no user interaction or extra privileges. Denial of Service (DoS), modem or device crash, freeze, unresponsiveness 
CVE-2025-20704 Due to a missing bounds check, the Modem is vulnerable to an out-of-bounds write. Exploiting this flaw can lead to remote escalation of privilege when connected to a rogue base station, though user interaction is necessary. Remote privilege escalation, unauthorized elevated access 
CVE-2025-20705 A use-after-free condition in the monitor_hang module can cause memory corruption, potentially leading to local escalation of privilege if the attacker already has System-level access. Exploitation does not require user interaction. Local privilege escalation, memory corruption 
CVE-2025-20706 The mbrain component suffers from a use-after-free vulnerability that can result in memory corruption. This may allow local privilege escalation for an attacker with System privileges, without needing user interaction. Local privilege escalation, memory corruption 
CVE-2025-20707 In the geniezone module, a use-after-free vulnerability can cause memory corruption and permit local privilege escalation if the attacker has System privileges, with no user interaction needed. Local privilege escalation, memory corruption 

Recommendations

Here are some recommendations below 

  • Once OEM updates are available, make sure to update your device promptly to apply the latest security patches addressing these vulnerabilities. 
  • Avoid connecting to unknown networks to reduce the risk of remote exploitation. 
  • Keep your device’s operating system and apps updated to the latest version. 

Conclusion: 
MediaTek’s recent security update addresses critical vulnerabilities, especially in modem firmware, that could allow remote attacks without user interaction. Although no active exploits have been found, the severity and scope of these flaws make it vital for manufacturers and users to promptly apply patches to protect devices and data. 

The company reassures end users that proactive notification and remediation precede public disclosure, underscoring MediaTek’s commitment to chipset and product security.

References

Security Advisory

7-Zip Security Flaw Allows Malicious File Writes and Potential Exploits 

Summary Security Advisory: 7-Zip Security Flaw

A vulnerability in 7-Zip (versions before 25.01) allows attackers to abuse symbolic links in archive files to write files outside the intended extraction directory.

Severity Low 
CVSS Score 3.6 
CVEs CVE-2025-55188 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This can lead to overwriting sensitive files, potentially enabling code execution or privilege escalation. The flaw is primarily exploitable on Linux systems due to common file permission models but can also impact Windows under specific conditions. Affected archive formats include ZIP, TAR, 7Z and RAR. 

The security flaw was  reported and discoverd by security researcher lunbun, who identified that 7-Zip fails to properly validate symbolic links when extracting certain archive formats.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ 7-Zip Arbitrary File Write via Symbolic Link Flaw  CVE-2025-55188 7-Zip  Low  25.01 and later. 

Technical Summary 

Cause: Improper validation of symbolic links during archive extraction. 

Attack Vector: Malicious archives can contain symlinks pointing outside the extraction directory. 

Impact: Overwrites arbitrary files on the system. On Linux, this can replace startup scripts, configuration files, or binaries to gain elevated privileges. On Windows, exploitation requires write access to target paths. 

Affected Formats: ZIP, TAR, 7Z, RAR. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-55188 3.6 Linux, Windows 7-Zip versions 7-Zip mishandles symbolic links in archives, letting attackers write files anywhere on the system during extraction. Code execution, Privilege escalation 

Recommendations: 

Here are some recommendations below 

  • Update 7-Zip to version 25.01 or latest one.  
  • Avoid extracting archives from untrusted sources. 
  • Always consider using sandboxed environments for unknown files extraction. 

Conclusion: 
While CVE-2025-55188 carries a low CVSS score, the real-world impact can be severe in certain environments, especially on Linux systems with high-privilege extraction processes.

Immediate patching to 7-Zip 25.01 or later is strongly advised to mitigate the risk of arbitrary file overwrite attacks. 

The researcher has submitted a request for reevaluation of the CVSS score and offered to provide proof-of-concept demonstrations to package repository maintainers who require additional verification.

References

Security Advisory

12-Year-Old Sudo Vulnerability & Chroot Flaw Enable Privilege Escalation  

Summary : Security Advisory: Two critical vulnerabilities CVE-2025-32462 and CVE-2025-32463 have been identified in the widely used Sudo utility, enabling local privilege escalation to root. System administrators rely on Sudo to enforce the principle of least privilege and maintain an audit trail of administrative actions.

The flaw, present in Sudo’s codebase for over 12 years, was discovered by Rich Mirch of the Stratascale Cyber Research Unit and affects both stable (v1.9.0–1.9.17) and legacy (v1.8.8–1.8.32) versions of Sudo.

Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-32463, CVE-2025-32462 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These flaws affect both legacy and modern versions of Sudo and impact Linux and Unix-like systems, including Ubuntu and macOS. One vulnerability (CVE-2025-32462)remained undiscovered for over 12 years. Both have been fixed in Sudo version 1.9.17p1. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Chroot Option Arbitrary Code Execution vulnerability  CVE-2025-32463 Sudo  Critical  1.9.17p1 
Host Option Privilege Escalation vulnerability  CVE-2025-32462 Sudo   Low  1.9.17p1 

Technical Summary 

CVE-2025-32463 – Chroot Privilege Escalation via Path Confusion 

Introduced in Sudo version 1.9.14, this vulnerability abuses the –chroot (-R) feature, allowing attackers to run commands as root even if not permitted in the sudoers file.

The flaw arises because Sudo began resolving paths inside the chroot environment before validating permissions. This allowed attackers to trick Sudo into referencing malicious configuration files (e.g., fake /etc/nsswitch.conf) and loading arbitrary shared libraries (e.g.-libnss_/woot1337.so.2) during the privilege escalation process. 

CVE-2025-32462 – Host Option Bypass 

CVE-2025-32462 exploits improper handling of the –host (-h) option in Sudo, allowing users to bypass hostname-based access restrictions and execute commands as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-32463 Stable 1.9.0 – 1.9.17  Exploits the -R chroot option to load attacker-controlled shared libraries, leading to root access even when user lacks necessary permissions.  Arbitrary code execution as root 
CVE-2025-32462 Stable 1.9.0 – 1.9.17 Legacy 1.8.8 – 1.8.32  Allows local users to abuse the -h option to bypass Host or Host_Alias restrictions and execute commands as root across unintended systems.  Local privilege escalation to root 

Remediation

Upgrade Sudo to version 1.9.17p1 or later or the appropriate patched package version provided by your Linux distribution. 

Conclusion: 
These Sudo vulnerabilities, especially CVE-2025-32463 with a CVSS score of 9.3, represent a serious threat to system integrity. Exploitable without complex tooling and with a public Proof-of-Concept (PoC) already available, this vulnerability underscores the risks posed by long-standing design flaws in foundational system utilities.

Administrators are strongly advised.

Update Sudo to version 1.9.17p1 or later on all systems. Organizations must act swiftly to patch affected systems, audit privileged access, and secure their Sudo configurations.

This incident reinforces the urgent need for continuous security reviews even for the most trusted and widely deployed open-source components and prevent unauthorized privilege escalation on affected systems.

References

Security Advisory

Privilege Escalation in Notepad++ v8.8.1 Installer via Binary Planting with Public PoC Available 

Security Advisory: A high-severity privilege escalation vulnerability has been discovered in the Notepad++ v8.8.1 and prior installer, which allows local attackers to gain SYSTEM-level privileges through uncontrolled executable search paths (binary planting).

The installer searches for executable dependencies in the current working directory without verification, allowing attackers to place malicious executables that will be loaded with SYSTEM privileges during installation.

OEM Notepad++ 
Severity High 
CVSS Score 7.3 
CVEs CVE-2025-49144 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Exploitation requires minimal user interaction and a public Proof of Concept (PoC) is available. The issue is resolved in version v8.8.2. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Privilege Escalation Vulnerability  CVE-2025-49144 Notepad++  High  v8.8.2 

Technical Summary 

The Notepad++ installer improperly searches for executable dependencies in the current directory without verifying their authenticity.

This insecure behavior allows attackers to place a malicious executable (e.g. regsvr32.exe) in the same directory as the installer. Upon execution the malicious file is loaded with SYSTEM-level privileges, granting full control over the machine. 

In real world scenario, an attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges.

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-49144  Notepad++ v8.8.1 and prior. The installer invokes executables without absolute path (e.g. regsvr32), allowing a malicious binary in the same directory to be executed with elevated privileges.  SYSTEM privilege escalation and full machine control 

Proof of Concept (PoC): 

  • Execution Flow: Attacker places a fake regsvr32.exe in the same directory as the Notepad++ installer. 
  • Trigger: When the user runs the installer, it loads the attacker’s file with SYSTEM privileges. 
  • Evidence: 
  • Process Monitor logs confirm that the installer is searching for executables in the local directory. 
  • Public PoC materials are hosted and shared, confirming reproducibility 

Remediation

  • Immediate Action: Upgrade to Notepad++ v8.8.2 or later which explicitly sets absolute paths when invoking executables like regsvr32. 

Recommendations: 

  • Configuration Check: Avoid executing installers from user-writable locations like the Downloads folder. Ensure installers are run from isolated, trusted directories. 
  • Environment Hardening: Implement endpoint detection for binary planting, restrict execution in commonly targeted directories. 

Conclusion: 
CVE-2025-49144 is a critical privilege escalation vulnerability with a working public PoC. It leverages a fundamental flaw in the Notepad++ installer’s handling of executable paths.

Given the low barrier to exploit and high impact, especially in environments where Notepad++ is widely used, immediate remediation is strongly advised. The presence of similar flaws in past versions highlights the persistent risk of insecure software packaging. 

This is a critical security vulnerability requiring immediate attention. While Microsoft classifies some binary planting issues as “Defense-in-Depth,” the severity of gaining SYSTEM privileges with minimal user interaction warrants priority remediation.

References

Uncategorized

Privilege Escalation Vulnerability in AI Engine WordPress Plugin, Allows Subscriber-Level Account Takeover 

Summary :Security Advisory: A critical privilege escalation vulnerability (CVE-2025-5071) was discovered in the AI Engine WordPress plugin, allowing subscriber-level users to gain administrator privileges when the MCP (Model Context Protocol) module is enabled.

OEM WordPress 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-5071 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the ‘Meow_MWAI_Labs_MCP::can_access_mcp’ function in versions 2.8.0 to 2.8.3.

This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like ‘wp_create_user’, ‘wp_update_user’ and ‘wp_update_option’, which can be used for privilege escalation, and ‘wp_update_post’, ‘wp_delete_post’, ‘wp_update_comment’ and ‘wp_delete_comment’, which can be used to edit and delete posts and comments.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Privilege Escalation Vulnerability  CVE-2025-5071 AI Engine WordPress Plugin  High  2.8.4 

Technical Summary 

AI Engine is a WordPress plugin that recently introduced support for MCP (Model Context Protocol), which allows AI agents – such as Claude or ChatGPT – to control and manage the WordPress website by executing various commands, managing media files, editing users, and performing complex tasks more reliably than through standard APIs.

The vulnerability stems from insufficient authorization checks in the can_access_mcp () function within the plugin, enabling any authenticated (logged-in) user to bypass Bearer Token validation and access MCP endpoints.

This access can be exploited to escalate user privileges by executing commands such as wp_update_user, ultimately leading to full site compromise. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-5071  WordPress with AI Engine Plugin 2.8.0–2.8.3 The can_access_mcp() function incorrectly grants MCP endpoint access to all logged-in users. Even when Bearer Token authentication is enabled, lack of empty value checks in the token validation logic allows privilege escalation.  Complete site compromise 

Remediation

  • Immediate Action: Update the AI Engine plugin to version 2.8.4 or later. 
  • Configuration Check: Ensure that MCP and Dev Tools modules remain disabled unless it’s necessary. 

Conclusion: 
The CVE-2025-5071 vulnerability in the AI Engine WordPress plugin highlights the potential risks when advanced modules like MCP are misconfigured.

Even though the feature is disabled by default, sites that have enabled it become susceptible to complete takeover by authenticated users.

Website administrators are urged to update to version 2.8.4 immediately and verify that security best practices are enforced to prevent such escalations. With over 100,000 active installations, this flaw presents a significant risk to the WordPress ecosystem if left unpatched. 

References

t  

Security Advisory

Veeam Backup Patched Critical Vulnerabilities Enabling RCE & Privilege Escalation 

Summary ; Security Advisory

Veeam disclosed three critical vulnerabilities affecting its widely deployed backup software. Veeam Backup & Replication is an enterprise-grade data protection solution used to back up, recover and replicate virtual machines, cloud workloads including physical servers.

OEM Veeam 
Severity Critical 
CVSS Score 9.9 
CVEs CVE-2025-23121, CVE-2025-24286, CVE-2025-24287 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Multiple high-impact vulnerabilities have been disclosed in Veeam Backup & Replication and Veeam Agent for Microsoft Windows, impacting versions prior to 12.3.2 and 6.3.2 respectively.

The most critical issue (CVE-2025-23121) may allow a remote code execution (RCE) on the backup server by an authenticated domain user, effectively granting complete control over backup infrastructure. 

The vulnerabilities also include risks of unauthorized modification of backup jobs (CVE-2025-24286) and privilege escalation via local directory manipulation (CVE-2025-24287). These flaws could enable attackers to execute arbitrary code or gain elevated permissions. 

These flaws pose significant risks to organizations relying on Veeam for data integrity and disaster recovery. The data protection system of an organization may get affected if compromised and threaten domain-joined backup servers.

Vulnerability Name CVE ID Product Affected Severity 
Remote Code Execution via Authenticated Domain User  CVE-2025-23121 Veeam Backup & Replication  Critical (9.9) 
Arbitrary Code Execution via Backup Operator Role Abuse  CVE-2025-24286 Veeam Backup & Replication  High (7.2) 
Privilege Escalation via Directory Manipulation  CVE-2025-24287 Veeam Agent for Microsoft Windows  Medium (6.1) 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-23121  Veeam Backup & Replication 12.3.1.1139 and all earlier v12 builds A remote code execution vulnerability affecting domain-joined Veeam backup servers. An authenticated domain user may execute arbitrary commands with elevated privileges.   Remote Code Execution 
  CVE-2025-24286 Veeam Backup & Replication 12.3.1.1139 and earlier  Authenticated users with the Backup Operator role can modify backup job configurations to inject and execute code.   Arbitrary Code Execution 
  CVE-2025-24287  Veeam Agent for Microsoft Windows 6.3.1.1074 and earlier  Local users can manipulate directory contents leading to code execution with elevated privileges.  Local Privilege Escalation  

Remediation

Users are strongly advised to apply the following updates to mitigate the risks: 

  • Upgrade Veeam Backup & Replication to 12.3.2 (build 12.3.2.3617) or later 
  • Upgrade Veeam Agent for Microsoft Windows to 6.3.2 (build 6.3.2.1205) or later 

Here are some recommendations below 

  • Limit backup server access to trusted users only to reduce the risk of unauthorized control. 
  • Apply least privilege principles for backup roles so users have only the permissions they need. 
  • Regularly monitor backup job changes and system logs to detect suspicious activity early. 
  • Provide security awareness training to staff focusing on backup and recovery best practices. 

Conclusion:  For Security Best practices

Veeam has released patches to address all three vulnerabilities and urged organizations to update Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) and Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205) as soon as possible.

For security best practices maintaining up-to-date backup systems, prompt patching and adherence to security best practices are essential to prevent potential exploitation and data compromise.

The critical nature of vulnerabilities demands backup and disaster recovery along with strict access controls and ongoing monitoring as essential tips to safeguard infrastructure that have been backed up from potential attacks. 

References

Security Advisory

Apache Tomcat Vulnerabilities Expose Systems to DoS & Authentication Bypass  

Security Advisory; Summary

Multiple vulnerabilities have been identified in Apache Tomcat affecting various versions and critical security updates provided to address four newly discovered vulnerabilities in Apache Tomcat. The disclosed Apache Tomcat vulnerabilities pose serious threats, especially in high-availability or internet-exposed environments.

Apache Tomcat is one of the world’s most widely used open-source Java servlet containers.

OEM Apache 
Severity High 
CVSS Score 8.4 
CVEs CVE-2025-48976, CVE-2025-48988, CVE-2025-49125, CVE-2025-49124 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The affected versions 9.0.x, 10.1.x and 11.0.x, also include high-impact denial-of-service (DoS) vulnerabilities and a moderate authentication bypass flaw as well as a Windows installer issue that may allow privilege escalation via side-loading. 

Timely patching is essential to prevent potential service disruptions and unauthorized access. 

Vulnerability Name CVE ID Product Affected Severity 
​Memory Exhaustion via Multipart Header Exploitation  CVE-2025-48976 Apache Tomcat  High 
Multipart Upload Resource Exhaustion  CVE-2025-48988 Apache Tomcat  High 
Security Constraint Bypass (Pre/PostResources)  CVE-2025-49125 Apache Tomcat  High 
Windows Installer Side-Loading Risk  CVE-2025-49124 Apache Tomcat  High 

Technical Summary 

The vulnerabilities affect Tomcat’s handling of multipart HTTP requests, resource mounting and Windows installation process. Exploitation may result in denial-of-service (via memory exhaustion), privilege escalation (via installer abuse) and authentication bypass. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-48976 Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 Fixed memory allocation limit in multipart header processing could be exploited to consume memory and cause DoS.  Denial-of-service attack. 
  CVE-2025-48988 Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 Multipart request body with many parts can trigger high memory usage due to improper limit handling between parameters and parts.  Denial-of-service attack. 
  CVE-2025-49125  Tomcat with Pre/Post Resources enabled Lack of resource path normalization allows attackers to access resources outside root bypassing auth controls. Authentication and Authorization Bypass. 
  CVE-2025-49124  Tomcat Windows Installers Installer invoked icacls.exe without full path, making it vulnerable to side-loading attacks via PATH manipulation. Privilege Escalation. 

Remediation

Update Immediately: Users of the affected versions should apply one of the following mitigations. 

  • Upgrade to Apache Tomcat 11.0.8 or later 
  • Upgrade to Apache Tomcat 10.1.42 or later   
  • Upgrade to Apache Tomcat 9.0.106 or later 

Conclusion: 

Attackers could exploit these flaws to cause denial-of-service, escalate privileges or bypass authentication and authorization controls. 

The Apache Software Foundation credits the TERASOLUNA Framework Security Team of NTT DATA Group Corporation and T. Doğa Gelişli for identifying these issues.

Tomcat is widely used in enterprise and cloud environments, prompt patching is essential to prevent potential exploitation, service outages, or unauthorized access.

References

  • https://lists.apache.org/thread/0jwb3d3sjyfk5m6xnnj7h9m7ngxz23db 

Security Advisory

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-06-10 
No. of Vulnerabilities Patched 67 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client. 

  • 67 Microsoft CVEs addressed 
  • 3 non-Microsoft CVEs addressed 

Breakdown of May 2025 Vulnerabilities 

  • 25 Remote Code Execution (RCE) 
  • 17 Information Disclosure 
  • 14 Elevation of Privilege (EoP) 
  • 6 Denial of Service (DoS)  
  • 3 Security Feature Bypass 
  • 2 Spoofing 
  • 2 Chromium (Edge) Vulnerabilities 
  • 1 Windows Secure Boot 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebDAV Remote Code Execution (Exploited in the wild)  CVE-2025-33053 Windows High 8.8 
SMB Client Elevation of Privilege (Publicly disclosed) CVE-2025-33073 Windows  High 8.8 

Technical Summary 

Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-33053 Windows 10,11 and Windows Server WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low. Remote Code Execution 
CVE-2025-33073 Windows 10,11 and Windows Server EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible. Elevation of Privilege  

Source: Microsoft and NVD 

In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed: 

  • CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4) 
  • CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8) 
  • CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1) 
  • CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1) 
  • CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8) 
  • CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8) 
  • CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8) 
  • CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8) 
  • CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5) 

Remediation

  • Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks. 

General Recommendations: 

  • Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution. 
  • Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure. 
  • Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073. 
  • Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems. 
  •  Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule. 

Conclusion: 

Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.

Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency. 

References

Scroll to top