VulnerabilityManagement

Security Advisory

Critical Flaws Expose Schneider DCE to Remote Exploits – Patch Now 

Summary : Schneider Electric has found critical security flaws in its EcoStruxure IT Data Center Expert software (version 8.3 and earlier) which allow attackers to run harmful codes, steal data or disrupt data center operations. The EcoStruxure IT Data Center is a scalable monitoring solution for data center equipment. Through the web interface the flaw allows unauthenticated remote code execution when HTTP is enabled, though it is disabled by default.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-50121, CVE-2025-50122, CVE-2025-50123, CVE-2025-50125 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The most severe flaw lets attackers execute commands remotely without logging in and other risks include weak password generation and privilege misuse.

Schneider urges users to upgrade to version 9.0. as a priority, if users are unable to update right now, users should secure their systems by limiting access, disabling unused services, using VPNs and security best practices. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
OS Command Injection  CVE-2025-50121 EcoStruxure IT Data Center Expert (DCE)  Critical  v 9.0 
Insufficient Entropy (Weak Root Password Generation)  CVE-2025-50122 EcoStruxure IT Data Center Expert (DCE)  High  v 9.0 
Insufficient Entropy (Weak Root Password Generation) CVE-2025-50123 EcoStruxure IT Data Center Expert (DCE) High v 9.0 
Insufficient Entropy (Weak Root Password Generation)  CVE-2025-50125 EcoStruxure IT Data Center Expert (DCE) High v 9.0 

Technical Summary 

The vulnerabilities have been identified in the system that exposes it to remote takeover, unauthorized access and internal data exposure.

At the core of the risk is a command injection flaw in the web interface, where unsanitized input allows attackers to execute system-level commands without authentication.

Compounding the issue is a weak password generation mechanism that uses low-entropy values, making root credentials easier to predict if installation or update packages are obtained.

Privileged users can also exploit unsafe input handling, specifically in fields like the hostname to inject and execute arbitrary code.

Furthermore, improper validation of internal HTTP requests allows attackers to perform server-side request forgery (SSRF), potentially accessing internal services and sensitive resources without credentials. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-50121 10.0 Web interface Allows unauthenticated attackers to run system commands via malicious folder in web interface. Unauthenticated RCE, full system compromise. 
CVE-2025-50122 8.3 Password generation system Allows unauthenticated attackers to run system commands via malicious folder in web interface. Root access by reverse-engineering password generation, leading to full control. 
CVE-2025-50123 7.2 Server console interface Allows unauthenticated attackers to run system commands via malicious folder in web interface. Arbitrary command execution by privileged users, risking internal misuse or escalation  
CVE-2025-50125 7.2 HTTP request handler Attackers manipulate hidden URLs to access internal services or run code without login. Unauthorized access to internal services, RCE and data exposure. 

In addition to the Critical and High Severity vulnerabilities, Two other medium severity issues were addressed. 

CVE-2025-50124 – Improper Privilege Management (CVSS 6.9) 
This issue allows privilege escalation through a setup script by a user already holding elevated access via the console. 

CVE-2025-6438 – XML External Entity (XXE) Injection (CVSS 6.8) 

 Attackers could exploit SOAP API calls to inject malicious XML entities and gain unauthorized file access. 

Remediation

  • Immediately upgrade to EcoStruxure DCE version 9.0 or the latest one to fix critical security flaws. 

Schneider recommends hardening DCE instances per the EcoStruxure IT Data Center Expert Security Handbook and adopting cybersecurity best practices.

Attackers could gain full access, run harmful commands, or steal data. It is strongly advised to update to version 9.0 or apply strict security measures to reduce the risks immediately.

IoT and Evolving Threat landscape

Industrial IoT security threats have evolved from theoretical concerns to active, persistent dangers that target manufacturing operations worldwide.

The convergence of traditional operational technology with modern information technology has created attack vectors that cybercriminals, nation-state actors, and industrial espionage operations actively exploit.

The financial impact of industrial cybersecurity incidents continues to escalate, with the average cost of a manufacturing sector data breach reaching $4.97 million in 2024, not including potential regulatory fines, business interruption losses, and long-term reputation damage. 

The security flaws in Schneider’s EcoStruxure IT Data Center Expert software exposes the dynamic threat landscape that may exist in Industrial IoT .


These vulnerabilities in Schneider Electric’s EcoStruxure DCE can seriously affect system security and data center operations. 

References

Security Advisory

12-Year-Old Sudo Vulnerability & Chroot Flaw Enable Privilege Escalation  

Summary : Security Advisory: Two critical vulnerabilities CVE-2025-32462 and CVE-2025-32463 have been identified in the widely used Sudo utility, enabling local privilege escalation to root. System administrators rely on Sudo to enforce the principle of least privilege and maintain an audit trail of administrative actions.

The flaw, present in Sudo’s codebase for over 12 years, was discovered by Rich Mirch of the Stratascale Cyber Research Unit and affects both stable (v1.9.0–1.9.17) and legacy (v1.8.8–1.8.32) versions of Sudo.

Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-32463, CVE-2025-32462 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These flaws affect both legacy and modern versions of Sudo and impact Linux and Unix-like systems, including Ubuntu and macOS. One vulnerability (CVE-2025-32462)remained undiscovered for over 12 years. Both have been fixed in Sudo version 1.9.17p1. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Chroot Option Arbitrary Code Execution vulnerability  CVE-2025-32463 Sudo  Critical  1.9.17p1 
Host Option Privilege Escalation vulnerability  CVE-2025-32462 Sudo   Low  1.9.17p1 

Technical Summary 

CVE-2025-32463 – Chroot Privilege Escalation via Path Confusion 

Introduced in Sudo version 1.9.14, this vulnerability abuses the –chroot (-R) feature, allowing attackers to run commands as root even if not permitted in the sudoers file.

The flaw arises because Sudo began resolving paths inside the chroot environment before validating permissions. This allowed attackers to trick Sudo into referencing malicious configuration files (e.g., fake /etc/nsswitch.conf) and loading arbitrary shared libraries (e.g.-libnss_/woot1337.so.2) during the privilege escalation process. 

CVE-2025-32462 – Host Option Bypass 

CVE-2025-32462 exploits improper handling of the –host (-h) option in Sudo, allowing users to bypass hostname-based access restrictions and execute commands as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-32463 Stable 1.9.0 – 1.9.17  Exploits the -R chroot option to load attacker-controlled shared libraries, leading to root access even when user lacks necessary permissions.  Arbitrary code execution as root 
CVE-2025-32462 Stable 1.9.0 – 1.9.17 Legacy 1.8.8 – 1.8.32  Allows local users to abuse the -h option to bypass Host or Host_Alias restrictions and execute commands as root across unintended systems.  Local privilege escalation to root 

Remediation

Upgrade Sudo to version 1.9.17p1 or later or the appropriate patched package version provided by your Linux distribution. 

Conclusion: 
These Sudo vulnerabilities, especially CVE-2025-32463 with a CVSS score of 9.3, represent a serious threat to system integrity. Exploitable without complex tooling and with a public Proof-of-Concept (PoC) already available, this vulnerability underscores the risks posed by long-standing design flaws in foundational system utilities.

Administrators are strongly advised.

Update Sudo to version 1.9.17p1 or later on all systems. Organizations must act swiftly to patch affected systems, audit privileged access, and secure their Sudo configurations.

This incident reinforces the urgent need for continuous security reviews even for the most trusted and widely deployed open-source components and prevent unauthorized privilege escalation on affected systems.

References

Security Advisory

Critical Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-20281, CVE-2025-20282 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Both issues stem from insecure API implementations that fail to validate user input and uploaded files respectively.  

Given the critical nature of these bugs both scoring CVSS 9.8 & 10.0 Cisco has issued immediate fixes, with no workarounds available. Organizations using the affected versions are urged to apply the patches without delay. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​API Unauthenticated RCE vulnerability  CVE-2025-20281 ISE & ISE-PIC   Critical  3.3 Patch 6, 3.4 Patch 2 
Internal API Arbitrary File Execution vulnerability  CVE-2025-20282 ISE & ISE-PIC   Critical  3.4 Patch 2 

Technical Summary 

Two independent vulnerabilities allow an attacker to gain full control over affected Cisco ISE systems without authentication: 

  • CVE-2025-20281: Triggered via crafted requests to a public API, exploiting insufficient input validation to achieve RCE as root. 
  • CVE-2025-20282: Abuses an internal API that lacks file validation, enabling the upload and execution of malicious files in privileged directories. 

These vulnerabilities align with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-269 (Improper Privilege Management). 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-20281 Cisco ISE & ISE-PIC 3.3 and later Insufficient validation in a public API allows remote attackers to send crafted requests, leading to unauthenticated command execution as the root user.  Remote code execution  
CVE-2025-20282 Cisco ISE & ISE-PIC 3.4 only An internal API fails to validate uploaded files. Attackers can upload files to system directories and execute them with root privileges.   Remote code execution 

Remediation

Cisco has released patches for affected versions of ISE and ISE-PIC. There are no known workarounds, and customers are strongly encouraged to apply the following updates: 

Cisco ISE / ISE-PIC Version CVE-2025-20281 Fixed In CVE-2025-20282 Fixed In 
3.2 and earlier Not affected Not affected 
3.3 3.3 Patch 6 Not affected 
3.4 3.4 Patch 2 3.4 Patch 2 

Conclusion: 
These vulnerabilities represent a severe risk to network security infrastructure, particularly because they impact Cisco ISE a cornerstone for identity and access control in many enterprises. The unauthenticated remote nature of the exploits, combined with root-level access and no required user interaction, significantly increases the threat surface.  

Although Cisco’s PSIRT has stated that there are no known instances of public exploitation, the ease of exploitation and severity (CVSS 10.0) make these vulnerabilities highly attractive to threat actors. Organizations should immediately apply the available patches and review their system logs for any signs of suspicious activity targeting ISE infrastructure. 

References

Security Advisory

Privilege Escalation in Notepad++ v8.8.1 Installer via Binary Planting with Public PoC Available 

Security Advisory: A high-severity privilege escalation vulnerability has been discovered in the Notepad++ v8.8.1 and prior installer, which allows local attackers to gain SYSTEM-level privileges through uncontrolled executable search paths (binary planting).

The installer searches for executable dependencies in the current working directory without verification, allowing attackers to place malicious executables that will be loaded with SYSTEM privileges during installation.

OEM Notepad++ 
Severity High 
CVSS Score 7.3 
CVEs CVE-2025-49144 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Exploitation requires minimal user interaction and a public Proof of Concept (PoC) is available. The issue is resolved in version v8.8.2. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Privilege Escalation Vulnerability  CVE-2025-49144 Notepad++  High  v8.8.2 

Technical Summary 

The Notepad++ installer improperly searches for executable dependencies in the current directory without verifying their authenticity.

This insecure behavior allows attackers to place a malicious executable (e.g. regsvr32.exe) in the same directory as the installer. Upon execution the malicious file is loaded with SYSTEM-level privileges, granting full control over the machine. 

In real world scenario, an attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges.

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-49144  Notepad++ v8.8.1 and prior. The installer invokes executables without absolute path (e.g. regsvr32), allowing a malicious binary in the same directory to be executed with elevated privileges.  SYSTEM privilege escalation and full machine control 

Proof of Concept (PoC): 

  • Execution Flow: Attacker places a fake regsvr32.exe in the same directory as the Notepad++ installer. 
  • Trigger: When the user runs the installer, it loads the attacker’s file with SYSTEM privileges. 
  • Evidence: 
  • Process Monitor logs confirm that the installer is searching for executables in the local directory. 
  • Public PoC materials are hosted and shared, confirming reproducibility 

Remediation

  • Immediate Action: Upgrade to Notepad++ v8.8.2 or later which explicitly sets absolute paths when invoking executables like regsvr32. 

Recommendations: 

  • Configuration Check: Avoid executing installers from user-writable locations like the Downloads folder. Ensure installers are run from isolated, trusted directories. 
  • Environment Hardening: Implement endpoint detection for binary planting, restrict execution in commonly targeted directories. 

Conclusion: 
CVE-2025-49144 is a critical privilege escalation vulnerability with a working public PoC. It leverages a fundamental flaw in the Notepad++ installer’s handling of executable paths.

Given the low barrier to exploit and high impact, especially in environments where Notepad++ is widely used, immediate remediation is strongly advised. The presence of similar flaws in past versions highlights the persistent risk of insecure software packaging. 

This is a critical security vulnerability requiring immediate attention. While Microsoft classifies some binary planting issues as “Defense-in-Depth,” the severity of gaining SYSTEM privileges with minimal user interaction warrants priority remediation.

References

Security Advisory

Google Chrome Zero-Day CVE-2025-2783 Exploited in APT Group TaxOff Campaigns 

Summary 

A newly-patched zero-day vulnerability in Google Chrome CVE-2025-2783 which was exploited in the wild by a threat actor TaxOff, leading to the deployment of Trinper which an advanced backdoor.

The CVE-2025-2783 exploited a sandbox escape vulnerability within Google Chrome’s Mojo IPC (Inter-Process Communication) framework, which allowed attackers to bypass the browser’s security sandbox and lead to RCE. 

TaxOff Threat Actor 

TaxOff is a highly sophisticated Advanced Persistent Threat (APT) group primarily targeting government organizations which is known for its use of advanced social engineering tactics, often involving phishing campaigns that exploit themed around financial reporting and regulatory compliance. 

The CVE-2025-2783 vulnerability was first detected in March 2025 after Kaspersky reported real-world exploitation.

TaxOff used a phishing-based delivery method, which involved embedding a malicious link in emails masquerading as invitations to legitimate events like the Primakov Readings forum.

Once the link was clicked, the CVE-2025-2783 exploit was triggered, leading to the deployment of the Trinper backdoor. It was a one-click compromise that delivered a highly tailored payload with surgical precision. 

Trinper Backdoor 

This is a multi-threaded C++ backdoor that collected host data, logged keystrokes, exfiltrated targeted documents like document, excel or pdf files and maintained remote access.

But this wasn’t just a “plug-and-play” backdoor. Trinper’s loader employed five layers of encryption, utilizing ChaCha20, modified BLAKE2b hashes, and even machine-specific environmental checks. It was decrypted only on intended systems, using unique hardware identifiers like firmware UUIDs and PEB structures. 

Source: global.ptsecurity.com 

Interestingly, researchers found that Team46, a different APT group shares many similarities with TaxOff in terms of TTPs. This overlap raises the possibility that TaxOff and Team46 are the same group operating under different aliases.

Both groups have used PowerShell-based loaders and Cobalt Strike as their primary exploitation vectors. 

This flaw allows threat actors to:

  • Execute arbitrary code
  • Bypass Chrome’s built-in security sandbox
  • Potentially gain remote control over the system

Recommendation 

The rapid exploitation of CVE-2025-2783 highlights the critical importance of timely patch management. Google released a fix for this vulnerability in March 2025, and all users are strongly advised to update their Chrome browsers to the latest version immediately. 

In addition to patching, organizations should implement the following defensive measures 

  • Enhance email filtering systems and provide regular phishing awareness training for employees. 
  • Continuously monitor systems for unusual or suspicious behavior related to script execution or network anomalies. 
  • Restrict the execution of unsigned or obfuscated scripts and macros, particularly in email attachments or downloaded files, using tools like AppLocker or Microsoft Defender ASR. 

References

Security Advisory

POC Released for Critical RCE Vulnerability in AWS Amplify Codegen-UI  

Summary: A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.

OEM AWS 
Severity Critical 
CVSS Score 9.5 
CVEs CVE-2025-4318 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A critical vulnerability has been discovered in AWS Amplify Studio’s UI generation tool, @aws-amplify/codegen-ui, which allows Remote Code Execution (RCE) during build or render time.

Tracked as CVE-2025-4318, this flaw originates from unsafe evaluation of user-defined JavaScript expressions without proper input validation or sandboxing.

It has been assigned a CVSS score of 9.5. Exploitation could lead to unauthorized command execution, leakage of AWS secrets, or full compromise of CI/CD environments. AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Unsafe Expression Evaluation in Codegen-UI  CVE-2025-4318 @aws-amplify/codegen-ui  Critical  2.20.3 

Technical Summary 

The vulnerability stems from how AWS Amplify Studio processed dynamic expressions defined in component fields (eg: label, placeholder).

In affected versions, these expressions were directly evaluated using eval() without any filtering or validation, assuming they were safe.

This behavior enabled attackers to inject malicious code into UI schemas that would execute during the build or runtime process particularly dangerous in CI/CD pipelines where secrets and environment variables are accessible. 

A working Proof-of-Concept (PoC) has been developed and shared by researchers, which simulates the exploit using a crafted JSON component, a Node.js script and a Python server. The PoC demonstrates successful RCE via malicious input evaluated by the vulnerable tool. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-4318  AWS Amplify Studio (<=2.20.2) Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting.    RCE, exposure of secrets, CI/CD compromise, unauthorized system control 

Remediation

Upgrade Immediately: Update @aws-amplify/codegen-ui to version 2.20.3 or later, which replaces unsafe evaluation logic with a sandboxed function (safeEval) and a keyword blacklist. 

Conclusion: 
CVE-2025-4318 is a severe RCE vulnerability in AWS Amplify Studio caused by unsafe evaluation of JavaScript expressions during UI component rendering or generation.

A fully functional PoC exploit has been published, which clearly demonstrates the risk of using eval() in dynamic application code without input validation. 

The fixed version mitigates this risk by introducing a sandboxed evaluation mechanism and filtering dangerous keywords. Organizations using Amplify Studio should upgrade immediately and audit all inputs and build processes for safety. 

AWS security teams have advised developers to immediately upgrade to version 2.20.3 or later and audit all existing component schemas for potentially unsafe expressions.

The incident highlights the critical importance of implementing secure coding practices in low-code development platforms where user input directly influences code generation and execution processes.

References

Security Advisory

Critical Credential Reuse Vulnerability in Cisco ISE Cloud Deployments 

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 9.9 
CVEs CVE-2025-20286 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed a critical vulnerability in Identity Services Engine (ISE) cloud deployments that allows unauthenticated remote attackers to gain administrative access across multiple instances due to improperly generated static credentials.

Tracked as CVE-2025-20286, with a CVSS score of 9.9, this flaw affects ISE deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco has released hotfixes and announced permanent fixes for impacted versions. 

Vulnerability Name CVE ID Product Affected Severity 
​Cisco ISE Shared Credential Vulnerability  CVE-2025-20286 Cisco ISE   Critical 

Technical Summary 

The vulnerability stems from improper generation of credentials during the setup of Cisco ISE on cloud platforms. Each deployment of the same ISE version on a given platform (eg – AWS 3.1) shares identical static credentials. This oversight enables an attacker to extract credentials from one deployment and reuse them to access others, if network access is available. 

This issue is only to cloud-hosted Primary Administration nodes. Traditional on-premises deployments or hybrid setups with local admin nodes are not affected. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-20286  Cisco ISE 3.1 – 3.4 Static credentials reused across same-version cloud deployments. Credentials can be extracted from one instance and reused across others on the same cloud platform   Access sensitive data 

Remediation

Apply Hotfix Immediately: Install the universal hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz on ISE versions 3.1 to 3.4. 

Cisco ISE Release Hot Fix First Fixed Release 
3.0 and earlier Not applicable. Not affected. 
3.1 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz Migrate to a fixed release. 
This hot fix applies to Releases 3.1 through 3.4. 
3.2 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz Migrate to a fixed release. 
This hot fix applies to Releases 3.1 through 3.4. 
3.3 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz 3.3P8 (November 2025) 
This hot fix applies to Releases 3.1 through 3.4. 
3.4 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz 3.4P3 (October 2025) 
This hot fix applies to Releases 3.1 through 3.4. 
3.5 Not applicable. Planned release (Aug 2025) 

Conclusion: 
CVE-2025-20286 presents a severe security risk to organizations using Cisco ISE on public cloud platforms. By exploiting shared static credentials, attackers can potentially move laterally between cloud deployments.

Although no active exploitation has been reported, a proof-of-concept (PoC) exploit is available, heightening the urgency for remediation. 

Organizations should apply hotfixes immediately, upgrade to secured versions, and tighten cloud network access policies to mitigate the risk. On-premises and hybrid deployments remain unaffected, offering a safer architectural alternative. 

References

Security Advisory

Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform 

Summary 

Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.

OEM Cisco 
Severity MEDIUM 
CVSS Score 4.3 
CVEs CVE-2025-20297 
CWEs CWE-79 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.

This issue allows low privileged users to execute unauthorized JavaScript code in a victim’s browser using a specific Splunk feature that generates Pdf from dashboards.

Although the vulnerability is rated as Medium (CVSS 4.3) but it could be a significant risk in environments where Splunk Web is widely accessed by users. 

The vulnerability specifically targets instances with Splunk Web enabled, which represents the majority of production deployments given the component’s central role in dashboard management and user interface functionality.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Reflected Cross Site Scripting  CVE-2025-20297 Splunk Enterprise & Cloud  Medium  Check the remediation section. 

Technical Summary 

The vulnerability lies in the pdfgen/render REST endpoint used to create dashboard PDFs. In vulnerable versions, a low \privileged user (not an admin or power user) can inject a malicious script via this endpoint.

If a legitimate user interacts with the resulting PDF or link, their browser may execute the injected script without their consent, this is working as reflected XSS. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-20297  Splunk Enterprise & Cloud multiple versions Low-privileged users can exploit the pdfgen/render endpoint to inject unauthorized JavaScript code into a victim’s browser. Code Execution/Reflected xss. 

Remediation

Splunk has released updates, that addressed the vulnerability:  

  • Splunk Enterprise: Upgrade to version 9.4.2, 9.3.4, 9.2.6, 9.1.9 or latest. 
  • Splunk Cloud Platform: Upgrade to version 9.3.2411.102, 9.3.2408.111, 9.2.2406.118 or latest. 

If you cannot upgrade immediately, you can disable Splunk Web to prevent exploitation. For this you can review the web.conf configuration file and follow the Splunk guidance on disabling unnecessary components. 

Disabling Splunk Web may impact users who rely on the web interface so consider access controls or network-based restrictions as temporary mitigations. 

Conclusion: 
While CVE-2025-20297 is rated as a medium severity vulnerability, it should not be ignored in the environments where many users interact with Splunk dashboards. Attackers with limited permissions could potentially target higher privileged users by modifying malicious links or payloads. 

Organizations should prioritize upgrading Splunk to the fixed versions or implementing the workarounds immediately.

Even though this vulnerability requires some user interaction, the risks include unauthorized access to sensitive data through potential session hijacking. 

While Splunk has not provided specific detection methods for this vulnerability, organizations should monitor access patterns to the pdfgen/render endpoint and review user privilege assignments to minimize potential exposure

This vulnerability poses a significant risk to organizations relying on Splunk’s data analytics platform for security monitoring and business intelligence operations.

References

Security Advisory

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited  

Summary 

OEM Qualcomm 
Severity HIGH 
CVSS Score 8.6 
CVEs CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Incorrect Authorization Vulnerability  CVE-2025-21479 Qualcomm Adreno GPU Driver  8.6  High 
Incorrect Authorization Vulnerability  CVE-2025-21480 Qualcomm Adreno GPU Driver  8.6  High 
Use-After-Free Vulnerability  CVE-2025-27038 Qualcomm Adreno GPU Driver  7.5  High 

Technical Summary 

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21479   Android (Adreno GPU) Unauthorized command execution during specific GPU microcode sequences causes memory corruption.   Privilege escalation, system compromise. 
   CVE-2025-21480    Android (Adreno GPU) Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.   Memory corruption, remote code execution. 
  CVE-2025-27038   Android (Chrome/Adreno) Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.   Arbitrary code execution. 

Recommendations

  • Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers. 
  • Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available. 
  • Apply Security Updates: Users should ensure their Android devices receive the latest security updates. 
  • Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels. 

Conclusion: 
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide. 

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation. 

References

 

Scroll to top