A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0. "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ pr…

Hackers exploited a Fortinet FortiWeb flaw the same day a PoC was published, compromising dozens of systems. Hackers began exploiting a critical Fortinet FortiWeb flaw, tracked as CVE-2025-25257 (CVSS score of 9.6), on the same day a proof-of-concept (PoC) ex…

Summary Microsoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. SharePoint Online in Microsoft 365 is not impacted. A …

A critical zero-day flaw in CrushFTP that can grant attackers administrator access was discovered on July 18 and is under active exploitation.BackgroundOn July 18, CrushFTP published an update to its CrushWiki detailing the discovery and exploitation of a z…

CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. [...]

CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. [...]

Posted by Kevin Backhouse on Jul 18As promised, I've now published the full poc that achieves code execution in evince/papers: https://github.com/github/securitylab/tree/main/SecurityExploits/DjVuLibre/MMRDecoder_scanruns_CVE-2025-53367 Kev

Posted by Jaras on Jul 18## Summary 7-Zip supports extracting from [Compound Documents](https://en.wikipedia.org/wiki/Compound_document). Null pointer dereference in the Compound handler may lead to denial of service. ## Tested Version [7-Zip 24.09](https:…

Posted by Jaras on Jul 18## Summary Zeroes written outside the heap buffer in RAR5 handler may lead to memory corruption. ## Tested Version [7-Zip 24.09](https://sourceforge.net/p/sevenzip/discussion/45797/thread/b95432c7ac/) ## Details ### Multi byte wr…

Researchers are seeing exploitation attempts for the CVE-2025-48927 vulnerability in the TeleMessage SGNL app, which allows retrieving usernames, passwords, and other sensitive data. [...]

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2025-25257 Fortinet FortiWeb SQL Injection Vulnerability These types of vulnerabilities are frequ…

Cybersecurity researchers have disclosed a critical container escape vulnerability in the NVIDIA Container Toolkit that could pose a severe threat to managed AI cloud services. The vulnerability, tracked as CVE-2025-23266, carries a CVSS score of 9.0 out of 1…

A vulnerability was identified in F5 Products. A remote attacker could exploit this vulnerability to trigger denial of service condition on the targeted system. Note: No patch is currently available for CVE-2025-48976 of the affected products. Hence, the…

A critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed "CitrixBleed 2," was actively exploited nearly two weeks before proof-of-concept (PoC) exploits were made public, despite Citrix stating that there was no evidence of attacks. [...]

Chromium's latest release addressed new vulnerabilities. Security updates have been released for Opera - get the latest versions now.

CVE-2024-12029: A critical deserialization vulnerability in InvokeAI's /api/v2/models/install endpoint allows remote code execution via malicious model files. Exploit risk for AI art servers. The post CVE-2024-12029 – InvokeAI Deserialization of Untrusted Dat…

A critical vulnerability (CVE-2025-20337) in Cisco's Identity Services Engine (ISE) could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices. [...]

ESET ┏祉ュャ」茖遵 (Windows ) Windowsゃ「潟㏍ー❼у識с綽ゃCVE-2025-2425鐚/a> (㏍ ITS, 2025.07.17)ナSET Windows ┏祉ュャ」茖遵 TOCTOU 腴九倶 CVE-2025-2425 V18.2 т信罩ｃ贋違/a> [CA8840] ESET Customer Advisory: TOCTOU race condition vulnerability in ESET products on Windows f…

Cybersecurity researchers have discovered a new campaign that exploits a known security flaw impacting Apache HTTP Server to deliver a cryptocurrency miner called Linuxsys. The vulnerability in question is CVE-2021-41773 (CVSS score: 7.5), a high-severity pat…

Hello, Community! Customers and holders of contributor subscriptions can now download VyOS 1.4.3 release images and the corresponding source tarball. This release includes fixes for CVE-2024-3596 (BlastRADIUS) — a vulnerability in the RADIUS PAM module that…