24 December 2025
CVE-2025-68613, carries a CVSS score of 9.9/10.0. The issue, which affects all versions including higher than 0.211.0 & below 1.120.4, has been patched in 1.120.4, 1.121.1, and 1.122.0.
CVE-2025-68613, carries a CVSS score of 9.9/10.0. The issue, which affects all versions including higher than 0.211.0 & below 1.120.4, has been patched in 1.120.4, 1.121.1, and 1.122.0.
A maximum-severity bug CVE-2025-37164 rated a max 10.0 on the CVSS scale, affects HPE OneView versions 5.20 through 10.20 and allows unauthenticated remote code execution.
FortiSandbox analysis appliances to fix CVE-2025-53949. The “OS Command Injection” does not correctly check the commands it receives before executing them.
React Server Components (CVE-2025-55182) & Next.js can be impacted downstream by React2Shell.
Windows PowerShell CVE-2025-54100 allows attackers to execute malicious code on affected systems. It was publicly disclosed on December 9, 2025.
Attackers are exploiting CVE-2025–8489 in the King Addons for Elementor plugin for WordPress & obtain administrative permissions during the registration process. It’s used on roughly 10,000 websites.
Google says there are “indications” that CVE-2025-48633 and CVE-2025-48572 “may be under limited, targeted exploitation.”
CVE-2025-21042 was discovered in Samsung’s libimagecodec.quram.so library, allowing remote attackers to gain code execution on devices running Android 13 and later.
CVE-2025-49844. This critical (CVSS 10.0) use-after-free (UAF) vulnerability in Lua scripting could allow authenticated attackers to execute remote code on older versions of Redis and Valkey with Lua scripting enabled.
CVE-2025-48593, a remote code execution (RCE) bug discovered in the System component. The flaw affects multiple versions of the Android Open Source Project (AOSP).
Attackers are already targeting a vulnerability in the Post SMTP plug-in that allows them to fully compromise an account and website for nefarious purposes.
CVE-2025-58726 – Ghost SPNs service names referencing hostnames that don’t resolve in DNS create exploitable attack surfaces in Active Directory environments.
CVE-2025-2783 (CVSS score: 8.3), a case of sandbox escape as part of a campaign dubbed Operation ForumTroll targeting organizations in Russia. The cluster is tracked as TaxOff/Team 46.
Nation-State Cyber Threat Actor Poses Immediate Risk to Federal Networks. CISA has issued Emergency Directive 26-01. This directive, the third issued under the Trump Administration.
CVE-2025-59287, a WSUS remote code execution vulnerability impacting Windows Server 2012, 2016, 2019, 2022, 2025. WSUS is a component of the Windows Server OS to centrally manage updates & patches.
A new technique allows hackers to extract encrypted authentication tokens from Microsoft Teams on Windows, enabling unauthorized access to chats, emails, and SharePoint files.
Fortinet CVE-2025-58325 in its FortiOS enable local authenticated attackers to execute arbitrary system commands. With a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), it poses significant risks to enterprise.
CVE-2025-32463 targets the chroot feature in Sudo versions 1.9.14 through 1.9.17, enabling local attackers to escalate privileges to root level with minimal effort.
It also addresses 8 “Critical” vulnerabilities. The bugs-80 Elevation of Privilege, 11 Security Bypass, 31 Remote Code Execution, 28 Info Disclosure, 11 DOS, 10 Spoofing.
CVE-2025-61984 could allow an attacker to achieve remote code execution on a victim’s machine. It is a bypass of a previous fix for a similar issue (CVE-2023-51385).
