Multiple Critical Vulnerabilities Disclosed Across Major Software and Hardware Platforms
Several critical vulnerabilities have been disclosed affecting a range of widely used software frameworks and hardware platforms. Notable issues include a critical flaw in the Apache bRPC framework (CVE-2025-59789) that exposes high-performance systems to crash risks, a high-severity unauthenticated XXE vulnerability in GeoServer (CVE-2025-58360) enabling file theft and SSRF, and a critical SQL injection vulnerability in Devolutions Server (CVE-2025-13757) that allows authenticated attackers to steal all stored passwords. Additional disclosures include a proof-of-concept exploit for a Windows Administrator Protection elevation of privilege vulnerability (CVE-2025-60718), a critical boot process compromise in Snapdragon 8 Gen 3 and 5G modems (CVE-2025-47372), and a flaw in Apache Kvrocks that allows privilege escalation via the 'RESET' command.
A separate high-severity vulnerability (CVE-2025-61618) was identified in Unisoc T8100/T9100/T8200/T8300 chipsets, affecting Android devices and allowing remote denial of service through improper input validation in the NR modem. These vulnerabilities collectively highlight the ongoing risk posed by both software and hardware flaws, with several enabling remote code execution, privilege escalation, or denial of service. Organizations using affected products should prioritize patching and mitigation efforts to reduce exposure to these critical threats.
Timeline
Dec 1, 2025
Unisoc improper input validation flaw CVE-2025-61618 reported
A vulnerability entry for CVE-2025-61618 was published describing an improper input validation issue affecting multiple Unisoc chipsets, including the T8100, T9100, T8200, and T8300.
Dec 1, 2025
PoC exploits released for Windows EoP CVE-2025-60718
Proof-of-concept exploit code was released for CVE-2025-60718, a Windows Administrator Protection elevation-of-privilege vulnerability, increasing the technical detail available for potential exploitation.
Dec 1, 2025
Apache bRPC crash-risk flaw CVE-2025-59789 disclosed
A critical vulnerability in the Apache bRPC framework, CVE-2025-59789, was publicly reported as exposing affected high-performance systems to crash risks.
Dec 1, 2025
Devolutions Server SQL injection CVE-2025-13757 disclosed
A critical authenticated SQL injection vulnerability in Devolutions Server, tracked as CVE-2025-13757, was reported as potentially allowing attackers to steal all stored passwords.
Dec 1, 2025
GeoServer XXE flaw CVE-2025-58360 disclosed
A high-severity GeoServer vulnerability, CVE-2025-58360, was disclosed as an unauthenticated XML External Entity injection issue that could enable file theft and SSRF attacks.
Nov 29, 2025
Apache Kvrocks RESET command flaw disclosed
A critical vulnerability affecting Apache Kvrocks was publicly reported, describing a flaw in the RESET command that could grant administrative privileges to an attacker.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
1 more from sources like security online info
Related Stories
Multiple Critical Vulnerabilities in Popular Enterprise Software and Devices
Several critical vulnerabilities have been disclosed in widely used enterprise products, each posing significant security risks. A flaw in ASUSTOR devices (CVE-2025-13051) allows local attackers to escalate privileges to SYSTEM via DLL hijacking, potentially granting full control over affected systems. Separately, Apache Causeway is impacted by a remote code execution vulnerability (CVE-2025-64408) that enables authenticated attackers to execute arbitrary code through Java deserialization, threatening the integrity of applications built on this framework. Additionally, the D-Link DIR-878 router, now at end-of-life, contains three unpatched remote code execution flaws that allow unauthenticated attackers to run commands remotely, leaving users exposed with no forthcoming security updates. Apache Tomcat is also affected by a critical path traversal vulnerability (CVE-2025-55752), which can be exploited under certain rewrite configurations to access sensitive directories, especially when HTTP PUT is enabled. Organizations using these products should urgently assess their exposure and apply mitigations or seek alternatives where patches are unavailable.
1 months ago
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
Several critical vulnerabilities have been disclosed affecting a range of widely used software platforms, including the Linux InputPlumber component, Apache Uniffle, legacy Vivotek cameras, Ubuntu Linux Kernel, Apache Struts 2, and React Router. Each vulnerability presents unique risks, such as remote code execution, information disclosure, privilege escalation, and unauthorized access, potentially impacting both enterprise and consumer environments. Security advisories urge immediate attention to patching and mitigation, as attackers could exploit these flaws to compromise systems, intercept sensitive data, or disrupt operations. The Ubuntu Linux Kernel advisory details multiple CVEs affecting various LTS versions, with potential impacts including denial of service, elevation of privilege, and information disclosure. Other reports highlight specific vulnerabilities: InputPlumber flaws could allow hijacking of Linux gaming sessions, Apache Uniffle and Struts 2 flaws expose clusters and data to eavesdropping and leakage, React Router's CVE-2025-61686 could lead to server file exposure, and unpatched Vivotek cameras are broadcasting live video feeds publicly. Organizations are advised to review vendor advisories and apply security updates promptly to mitigate these threats.
1 months agoMultiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
1 months ago