Top Critical CVEs 2025
The most severe vulnerabilities requiring immediate attention. These CVEs have CVSS scores of 9.0 or higher and pose significant security risks.
Understanding Critical Vulnerabilities
Critical vulnerabilities represent the highest severity security flaws in software and systems. With CVSS scores ranging from 9.0 to 10.0, these vulnerabilities can lead to complete system compromise, unauthorized access, data breaches, and service disruption. Organizations must prioritize patching critical CVEs immediately to protect their infrastructure and sensitive data.
The vulnerabilities listed on this page are automatically updated from our comprehensive vulnerability intelligence database. Each CVE entry includes detailed information about severity, exploit availability, EPSS scores (exploit probability), and whether it's listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. This intelligence helps security teams make informed decisions about vulnerability prioritization and remediation efforts.
Why Critical CVEs Matter
- • High Impact: Critical vulnerabilities can result in complete system takeover, allowing attackers to execute arbitrary code, access sensitive data, or disrupt services.
- • Rapid Exploitation: Attackers actively scan for and exploit critical vulnerabilities, often within hours or days of disclosure.
- • Compliance Requirements: Many security frameworks and regulations require immediate patching of critical vulnerabilities.
- • Supply Chain Risk: Critical vulnerabilities in widely-used libraries or frameworks can affect millions of systems simultaneously.
CVE-2025-0471
January 16, 2025
Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, …
CVE-2025-0456
January 16, 2025
The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords.
CVE-2025-0455
January 16, 2025
The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2024-9636
January 15, 2025
The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. This is due to the plugin not properly restricting what user …
CVE-2025-23061
January 15, 2025
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
CVE-2024-54142
January 14, 2025
Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak …
CVE-2024-48856
January 14, 2025
Out-of-bounds write in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition or execute code in the …
CVE-2024-49375
January 14, 2025
Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa …
CVE-2025-21311
January 14, 2025
No description available
CVE-2025-21307
January 14, 2025
No description available
CVE-2025-21298
January 14, 2025
No description available
CVE-2025-23025
January 14, 2025
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in …
CVE-2024-13159
January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-13160
January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-13161
January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-10811
January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-34166
January 14, 2025
An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of HTTP requests can lead to arbitrary code execution. An attacker …
CVE-2024-39363
January 14, 2025
A cross-site scripting (xss) vulnerability exists in the login.cgi set_lang_CountryCode() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker …
CVE-2024-39761
January 14, 2025
Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make …
CVE-2024-39760
January 14, 2025
Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make …
CVE-2024-39759
January 14, 2025
Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make …
CVE-2024-36290
January 14, 2025
A buffer overflow vulnerability exists in the login.cgi Goto_chidx() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an …
CVE-2024-39765
January 14, 2025
Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make …
CVE-2024-39764
January 14, 2025
Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make …
CVE-2024-39763
January 14, 2025
Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make …
How to Prioritize Critical CVEs
Immediate Action Required
- • CVEs with CVSS 10.0 (maximum severity)
- • CVEs listed in CISA's KEV catalog
- • CVEs with public exploits available
- • CVEs affecting internet-facing systems
- • CVEs with EPSS scores above 0.7
High Priority
- • CVEs with CVSS 9.0-9.9
- • CVEs affecting critical business systems
- • CVEs with medium EPSS scores (0.3-0.7)
- • CVEs in widely-used software libraries
- • CVEs with active security research
Best Practices for Critical CVE Management
Automated Monitoring
Set up automated vulnerability scanning and monitoring to detect critical CVEs affecting your infrastructure. Use vulnerability management platforms to track and prioritize remediation efforts.
Rapid Response
Establish a rapid response process for critical vulnerabilities. Aim to patch critical CVEs within 24-48 hours of disclosure, especially those with active exploits or KEV status.
Risk Assessment
Assess the actual risk to your environment. Not all critical CVEs affect all systems. Check if your infrastructure uses the affected software versions and if the vulnerability is exploitable in your specific configuration.
Defense in Depth
Implement network segmentation, intrusion detection systems, and least privilege access controls. These defensive measures can mitigate the impact of critical vulnerabilities even before patches are available.
Stay Protected
Monitor critical vulnerabilities in real-time and get alerts when new threats emerge. Set up custom vulnerability monitoring for your infrastructure.