Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-24472
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0...
🚨 Marked as known exploited on March 18th, 2025 (about 1 month ago).
Description: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests.

CVSS: HIGH (8.1)

EPSS Score: 0.04%

Source: CVE
February 12th, 2025 (2 months ago)

CVE-2025-21418
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
🚨 Marked as known exploited on February 11th, 2025 (2 months ago).
Description: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVSS: HIGH (7.8)

EPSS Score: 0.05%

Source: CVE
February 12th, 2025 (2 months ago)

CVE-2025-21391
Windows Storage Elevation of Privilege Vulnerability
🚨 Marked as known exploited on February 11th, 2025 (2 months ago).
Description: Windows Storage Elevation of Privilege Vulnerability

CVSS: HIGH (7.1)

EPSS Score: 0.09%

Source: CVE
February 12th, 2025 (2 months ago)

CVE-2025-0994
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization...
🚨 Marked as known exploited on February 6th, 2025 (2 months ago).
Description: Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

CVSS: HIGH (8.6)

EPSS Score: 1.32%

Source: CVE
February 7th, 2025 (2 months ago)

CVE-2024-45195
Apache OFBiz: Confused controller-view authorization logic (forced browsing)
🚨 Marked as known exploited on February 4th, 2025 (2 months ago).
Description: Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

CVSS: HIGH (7.5)

EPSS Score: 75.58%

Source: CVE
February 5th, 2025 (2 months ago)

CVE-2024-40891
A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel...
🚨 Marked as known exploited on January 29th, 2025 (3 months ago).
Description: A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.

CVSS: HIGH (8.8)

EPSS Score: 4.13%

Source: CVE
February 5th, 2025 (2 months ago)

CVE-2024-40890
A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A...
🚨 Marked as known exploited on February 11th, 2025 (2 months ago).
Description: A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

CVSS: HIGH (8.8)

EPSS Score: 4.13%

Source: CVE
February 5th, 2025 (2 months ago)

CVE-2025-24085
A use after free issue was addressed with improved memory management. This issue is fixed in visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia...
🚨 Marked as known exploited on January 28th, 2025 (3 months ago).
Description: A use after free issue was addressed with improved memory management. This issue is fixed in visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.

CVSS: HIGH (7.8)

EPSS Score: 0.21%

Source: CVE
January 28th, 2025 (3 months ago)

CVE-2025-0411
7-Zip Mark-of-the-Web Bypass Vulnerability
🚨 Marked as known exploited on February 4th, 2025 (2 months ago).
Description: 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.

CVSS: HIGH (7.0)

EPSS Score: 0.4%

Source: CVE
January 26th, 2025 (3 months ago)

CVE-2025-23209
Potential RCE with a compromised security key in craft/cms
🚨 Marked as known exploited on February 20th, 2025 (about 2 months ago).
Description: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

CVSS: HIGH (8.1)

EPSS Score: 0.05%

Source: CVE
January 23rd, 2025 (3 months ago)