Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-49008 |
Description: Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows argument injection, leading to arbitrary command execution. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a `Common::safe_execute` function that sanitizes all arguments using `escapeshellarg()` prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system.
CVSS: CRITICAL (9.4) EPSS Score: 0.08%
June 5th, 2025 (1 day ago)
|
|
🚨 Marked as known exploited on May 28th, 2025 (9 days ago).
Description: Meet the elite squad that’s hunting the next major cyberattack. With more than 150 years of combined research experience and expert analysis, the Tenable Research Special Operations team arms organizations with the critical and actionable intelligence necessary to proactively defend the modern attack surface. The digital battlefield is constantly shifting. It's no longer enough to just react. We need to anticipate. Massive data breaches leave consumers exposed to identity thieves, ransomware attacks cripple hospitals, and Nation State actors disrupt critical infrastructure. It's not just about vulnerable software anymore. In our hyper-connected world, from the smart devices in your home to the complex systems running our cities, everything is a potential target. The explosion of cloud services and AI is accelerating this risk, creating countless new windows for cybercriminals and hostile nations to exploit. From software and hardware vulnerabilities, to misconfigurations, compromised identities, overexposed and highly privileged environments, and publicly accessible databases, the threat landscape is everywhere, all at once. As of October 2024, over 240,000 Common Vulnerabilities and Exposures (CVEs) have been tracked through the MITRE CVE program, including many that have significantly impacted consumers, businesses and governments. The volume has historically been too much for security teams to keep up with. Beyond the sheer increase in the volume of traditional vulnerab...
CVSS: CRITICAL (9.6) EPSS Score: 8.83%
May 28th, 2025 (9 days ago)
|
|
Description: A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks.
"Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today.
Targets of the campaign
CVSS: CRITICAL (10.0) EPSS Score: 78.65%
May 13th, 2025 (24 days ago)
|
|
Description: Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access.
The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities -
CVE-2024-58136 (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP
CVSS: CRITICAL (9.0) EPSS Score: 36.6%
April 28th, 2025 (about 1 month ago)
|
|
Description: As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will.No heist story
CVSS: CRITICAL (10.0) EPSS Score: 63.86%
April 24th, 2025 (about 1 month ago)
|
|
Description: Fortinet has revealed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched.
The attackers are believed to have leveraged known and now-patched security flaws, including, but not limited to, CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762.
"A threat actor used a known
CVSS: CRITICAL (9.8)
April 11th, 2025 (about 2 months ago)
|
|
CVE-2024-9095 |
Description: In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is protected by a config check (`config.DATA_WAREHOUSE_EXPORTS_ALLOWED`), but it does not verify the user's access level or implement any access control middleware. This vulnerability can lead to the extraction of sensitive data, disruption of services, credential compromise, and service integrity breaches.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 20th, 2025 (3 months ago)
|
|
CVE-2023-20198 |
Description: A newly uncovered cyber espionage campaign led by the Chinese state-sponsored hacking group Salt Typhoon (Red Mike) has compromised vulnerable Cisco devices worldwide, targeting telecommunications providers across multiple countries, including the United States, the United Kingdom, and South Africa. The attack exploits two critical privilege escalation vulnerabilities, CVE-2023-20198 and CVE-2023-20273, found in Cisco IOS XE …
The post Chinese Hackers Breach Cisco Devices in Global Telecom Attacks appeared first on CyberInsider.
CVSS: CRITICAL (10.0)
February 14th, 2025 (4 months ago)
|
|
CVE-2024-12356 |
Description: The breach was carried out by exploiting CVE-2024-12356 in BeyondTrust cybersecurity company, just last week.
CVSS: CRITICAL (9.8) EPSS Score: 1.3%
January 7th, 2025 (5 months ago)
|