Patch Tuesday December 2025 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
Microsoft Vulnerabilities
This Patch Tuesday brings 56 vulnerability fixes from Microsoft, fewer than last month, with only two rated critical. However, the release is notable for its three zero-days, including two with publicly available proof-of-concept exploits.
Windows Cloud Files Mini Filter Driver vulnerability CVE-2025-62221
“When attackers can climb from a low-level account to full system control, every compromised user becomes a doorway to total takeover.”
CVE-2025-62221 is an Elevation of Privilege (EoP) vulnerability in the Windows Cloud Files Mini Filter Driver, a component used by Windows to manage cloud-synced and placeholder files. This flaw allows attackers who already have limited local access to escalate their privileges to SYSTEM. Microsoft has confirmed active exploitation, meaning attackers are already using this vulnerability in real-world attacks.
CVSS Score: 7.8
SEVERITY: Important
THREAT: Elevation of Privilege
EXPLOITS: This vulnerability is being actively exploited in the wild. Although no fully public proof-of-concept code has been broadly released, exploitation has been observed by security teams and is being used as part of targeted intrusion chains. Once attackers gain any local access — even through minor footholds — they can reliably escalate privileges using this flaw.
TECHNICAL SUMMARY: The Windows Cloud Files Mini Filter Driver improperly handles specific file system operations related to cloud-backed content. An attacker can manipulate these interactions to cause the driver to perform privileged actions on their behalf. Because the driver operates at a high level of trust inside the Windows kernel, abusing this flaw enables attackers to execute code with elevated permissions, modify protected system resources, disable security controls, or establish persistent access.
EXPOLITABILITY: All supported Windows versions that utilize the Cloud Files Mini Filter Driver are impacted. Exploitation requires the attacker to execute code locally, but once achieved, they can trigger the vulnerable driver behavior to escalate privileges to SYSTEM. This makes it a highly valuable component in multi-stage attack chains.
BUSINESS IMPACT: Active exploitation dramatically increases risk. Attackers can:
- Take full control of compromised systems.
- Disable detection tools and security agents.
- Steal sensitive data or credentials stored locally.
- Move laterally across networks to compromise additional systems.
- Establish high-privilege persistence, making incident response far more difficult.
Because cloud-synced file features are widely deployed across enterprise environments, nearly all organizations face exposure if the patch is not applied quickly.
WORKAROUND: If patching is delayed:
- Limit local user access and ensure least-privilege policies are enforced.
- Restrict the execution of untrusted software to prevent attackers from gaining the initial foothold needed for local exploitation.
- Temporarily reduce reliance on cloud-sync features if operationally feasible.
These mitigations reduce risk but do not eliminate the underlying vulnerability.
URGENCY: This patch requires swift deployment because the vulnerability is already exploited in the wild, provides privilege escalation to SYSTEM, and is easily chained with phishing, browser exploits, malicious documents, or other low-level entry points. Leaving systems unpatched enables attackers to rapidly gain full control over Windows devices with minimal barriers.
PowerShell Remote Code Execution Vulnerability CVE-2025-54100
“Even an Important-rated RCE can become a critical entry point if attackers find it before defenders fix it.”
This vulnerability allows remote attackers to execute arbitrary code on affected systems by abusing how the software processes certain untrusted inputs. While classified as Important, its ability to enable remote code execution makes it a serious threat that can compromise system integrity and stability if not addressed.
CVSS Score: 7.8
SEVERITY: Important
THREAT: Remote Code Execution (RCE)
EXPLOITS: No public exploit, zero-day activity, or proof-of-concept code is currently known. However, RCE vulnerabilities often become targets for exploit development once disclosed.
TECHNICAL SUMMARY: CVE-2025-54100 is caused by insufficient sanitization and validation of externally supplied data. When a crafted request is processed, the vulnerable component may mishandle memory or execution flow, allowing remote attackers to execute arbitrary code. The code execution would occur under the privileges of the affected service, potentially granting access to modify data, disrupt processes, or escalate attacks.
EXPLOITABILITY: Systems running affected versions of the software are vulnerable. Attackers would typically exploit this flaw by sending specifically crafted network inputs to the exposed service endpoint, causing unintended execution behavior.
BUSINESS IMPACT: Although rated Important, the risk of remote code execution can still lead to serious business consequences, including service outages, data manipulation, system instability, or becoming a stepping-stone for deeper network compromise. Organizations may face productivity loss, increased incident response costs, and reputational concerns if exploited.
WORKAROUND: If patching cannot be applied immediately, restrict access to the affected service, harden network boundaries, reduce exposure to untrusted networks, and monitor logs for suspicious input patterns or abnormal behavior.
URGENCY: Because this vulnerability permits RCE—even without current public exploits—patching should be prioritized. Preventing remote attackers from gaining code execution capability is essential to maintaining system security and reducing the chance of future exploit development turning this into a high-risk vector.
Microsoft Office Remote Code Execution Vulnerability CVE-2025-62554
“A single remote code flaw can turn a trusted system into an attacker’s playground if it isn’t patched in time.”
This vulnerability allows remote attackers to execute arbitrary code on affected systems by exploiting a flaw in how the software processes certain external inputs. Successful exploitation could allow an attacker to take full control of the system, modify data, disrupt services, or pivot deeper into the network.
CVSS Score: 8.4
SEVERITY: Critical
THREAT: Remote Code Execution (RCE)
EXPLOITS: At this time, no public exploit code, zero-day activity, or proof-of-concept demonstrations have been confirmed. However, RCE vulnerabilities with high severity frequently attract exploit development shortly after disclosure.
TECHNICAL SUMMARY: CVE-2025-62554 arises from improper validation of externally supplied data. When a specially crafted request is processed, the vulnerable component mishandles the input and triggers an unintended execution path. This allows attackers to run arbitrary code with the privileges of the compromised service. If exploited, this could lead to system manipulation, data exposure, or complete operational disruption.
EXPLOITABILITY: All systems running affected versions of the vulnerable software are at risk. Attackers typically exploit this type of flaw by delivering crafted network requests to the exposed service interface, forcing the system to execute unauthorized code.
BUSINESS IMPACT: A successful RCE attack could lead to full system compromise, exposing organizations to data breaches, ransomware deployment, operational outages, regulatory risk, and long-term reputational damage. This type of vulnerability provides attackers with a direct path to high-value assets.
WORKAROUND: If patching cannot be applied immediately, organizations should restrict access to the affected service, apply strict firewall rules, isolate vulnerable systems when possible, and closely monitor network behavior for anomalies.
URGENCY: Because this is a Critical RCE vulnerability, rapid patch deployment is essential. RCE flaws are among the most aggressively targeted by attackers, and the potential impact—from system takeover to widespread lateral movement—makes immediate mitigation crucial.
Microsoft Office Remote Code Execution Vulnerability CVE-2025-62557
“When code execution becomes possible from the outside, every unpatched system becomes an open invitation for attackers.”
This vulnerability allows an attacker to remotely execute arbitrary code on affected systems by exploiting improper validation within a core processing component. Successful exploitation could grant the attacker full control of the system, enabling data manipulation, service disruption, or further compromise of connected environments.
CVSS Score: 8.4
SEVERITY: Critical
THREAT: Remote Code Execution (RCE)
EXPLOITS: There are currently no confirmed public exploits, zero-day attacks, or proof-of-concept code available. Still, RCE vulnerabilities with high criticality often attract rapid exploit development given their potential impact.
TECHNICAL SUMMARY: CVE-2025-62557 is caused by insufficient input validation that occurs during the handling of network-based requests. This flaw allows specially crafted inputs to trigger unintended execution paths, ultimately enabling remote execution of arbitrary code with the privileges of the targeted service. If exploited, attackers could install malicious software, manipulate system configurations, steal sensitive information, or halt essential operations.
EXPLOITABILITY: All systems running vulnerable versions of the affected software are at risk. Attackers would typically exploit this by sending maliciously crafted requests to the exposed service endpoint, causing the vulnerable component to execute unauthorized code.
BUSINESS IMPACT: A successful attack could lead to complete system compromise. Organizations may face operational downtime, data loss, financial damage, and long-term reputational harm. Because RCE vulnerabilities provide attackers with direct control, they pose a significant threat to business continuity and security integrity.
WORKAROUND: If patching cannot be applied immediately, organizations should restrict network access to the affected service, enable additional monitoring for anomalies, and deploy strict firewall or segmentation controls to reduce exposure.
URGENCY: This patch must be deployed quickly because Critical RCE vulnerabilities often become prime targets for exploit development. The risk of full system takeover makes rapid mitigation essential for maintaining security and preventing a potential breach.
Microsoft Office Remote Code Execution Vulnerability CVE-2025-62562
“A single overlooked flaw can become the doorway attackers use to take full control—this patch closes that doorway before someone walks through it.”
This vulnerability allows attackers to execute arbitrary code on affected systems remotely, giving them the ability to run malicious commands without authorization. If exploited, it grants the attacker privileges that could compromise data, disrupt operations, or enable lateral movement across the network.
CVSS Score: 8.4
SEVERITY: Critical
THREAT: Remote Code Execution (RCE)
EXPLOITS: No public exploit code or zero-day attacks have been reported at this time. However, vulnerabilities enabling remote code execution often attract exploit development quickly due to their high impact and broad attack surface.
TECHNICAL SUMMARY: CVE-2025-62562 stems from improper input handling within a core processing component of the affected software. The flaw allows crafted network inputs to bypass security checks, ultimately allowing arbitrary code execution under the application’s security context. If leveraged, an attacker could install programs, modify or steal data, or disrupt normal system operations.
EXPLOITABILITY: Systems running vulnerable versions of the affected software are susceptible. An attacker would typically exploit this flaw by sending specially crafted requests to the exposed service, triggering the code execution path.
BUSINESS IMPACT: This vulnerability can directly lead to full system compromise. Organizations may face operational outages, data theft, ransomware events, and reputational damage. Even one successful attack exploiting an RCE vulnerability can cascade into far-reaching organizational risk.
WORKAROUND: If immediate patching is not possible, restrict access to the affected service, apply network-level filtering, and monitor for unusual traffic patterns until updates can be deployed.
URGENCY: Because this is a Critical RCE vulnerability with high-impact potential, rapid deployment of the patch is essential to prevent attackers from gaining full control of systems. RCE flaws are prime targets for threat actors and often become weaponized quickly.
Microsoft Windows LNK File UI Misrepresentation (CVE-2025-9491)
“A harmless-looking Windows shortcut can hide dangerous commands and launch malware without warning.”
Microsoft’s update fixes CVE-2025-9491, a high-severity flaw in how Windows displays .LNK shortcut file targets. By padding commands with whitespace, attackers could hide malicious arguments in the file’s properties, making the shortcut appear safe. The vulnerability held a CVSS score in the high range (7.0–7.8) and was actively exploited in real-world attacks, including campaigns deploying PlugX malware.
The patch now forces Windows to show the full, unmasked shortcut target, stopping attackers from concealing harmful commands behind misleading UI behavior.
Google Chrome
“These updates shut down high-risk browser flaws before attackers can turn them into easy entry points.”
The Google Chrome and Microsoft Edge 143 security updates deliver a coordinated set of fixes for multiple high-severity vulnerabilities across the Chromium platform. This release addresses several memory-corruption issues—most notably use-after-free, type confusion, and out-of-bounds read/write flaws that could allow remote code execution or sandbox escape when users visit maliciously crafted websites. These vulnerabilities (CVEs CVE-2025-13630 – 13633) carry High-severity CVSS scores ranging from 7.5 to 8.8, reflecting the significant security exposure they pose.
The fixes included in Chrome 143 are mirrored in Microsoft Edge due to their shared Chromium foundation, ensuring that both browsers close the same dangerous attack paths. By resolving these issues, the update reduces the risk of data compromise, drive-by exploitation, and full browser takeover.
Mozilla Firefox
“Firefox 145 locks down serious security holes and upgrades privacy — your browsing just got safer and smoother.”
Firefox 145 is a major stable-channel update released November 11, 2025. It delivers a wide set of security fixes along with user-facing improvements in privacy, usability, and web-standards support.
Firefox 145 patches a large number of vulnerabilities — including several critical flaws in graphics (WebGPU), JavaScript/WebAssembly, the browser sandbox, and memory-safety bugs — that collectively could allow arbitrary code execution, sandbox escape, or other serious security risks. High-impact CVEs fixed include (among others) CVE-2025-13027, CVE-2025-13023, CVE-2025-13024, plus flaws in WebGPU (e.g. CVE-2025-13021 / CVE-2025-13022 / CVE-2025-13025) and WebAssembly (e.g. CVE-2025-13016). Many of these involve incorrect boundary checks, memory-safety bugs or JIT miscompilations — issues that attackers could exploit remotely via malicious web content.
Android
“This update closes more than a hundred security holes — including two that were already being used in attacks. If you haven’t updated yet, you’re exposed.”
The December 2025 security patch for Android fixes a total of 107 vulnerabilities, touching a wide array of components across the OS. Notably, it patches two “zero-day” flaws — CVE-2025-48633 (information disclosure – no published CVSS score yet) and CVE-2025-48572 (privilege escalation – CVSS 7.4 High Severity), which Google warns were already exploited in limited, targeted attacks.
Because of a change in release strategy this year, monthly Android security bulletins now focus on “high-risk” issues; as a result, quarterly releases like this December patch tend to be larger and more critical than typical monthly updates.
This means the patch isn’t just routine maintenance — it’s a major security safeguard.
Cisco
Cisco Unified Contact Center Express Remote Code Execution Vulnerabilities
“An unauthenticated attacker can walk in and take over your contact-center system as root — no login needed.”
These critical vulnerabilities in Cisco Unified Contact Center Express (UCCX) allow remote attackers to gain high-privilege access without authentication. Both issues are severe, independent, and affect systems running vulnerable versions of UCCX.
CVE-2025-20354 is the most critical of the two, stemming from improper authentication in the Java RMI service. An attacker who can reach this service can upload arbitrary files and execute them as root, enabling full system compromise. With a CVSS rating of 9.8 (Critical), this flaw represents a direct path to total control of the UCCX server.
CVE-2025-20358 involves an authentication bypass in the UCCX Editor application. By redirecting authentication to a malicious server, an attacker can gain administrative script-execution privileges. While it doesn’t immediately provide root access, it still allows arbitrary script execution and can often lead to full compromise. Its CVSS rating is 9.4 (Critical).
Both vulnerabilities are confirmed critical, affect widely deployed UCCX environments, and have no workarounds. At this time, there are no confirmed real-world attacks and no public proof-of-concept code, but the nature of the vulnerabilities makes exploitation straightforward once details are known.
Cisco Catalyst Center Virtual Appliance — Privilege Escalation Vulnerability
“A normally low-privilege user could trick the system into gaining full admin control with nothing more than a crafted HTTP request.”
The latest update for Cisco Catalyst Center Virtual Appliance addresses a significant privilege escalation flaw tracked as CVE-2025-20341. The issue stems from improper validation of user-supplied input, allowing an authenticated attacker with only “Observer” privileges to send a specially crafted HTTP request and elevate themselves to full Administrator access. Once elevated, the attacker could create accounts, change system configurations, or manipulate operational data without authorization.
This vulnerability carries a CVSS 3.1 score of 8.8 (High). It affects virtual appliance deployments running on VMware ESXi, specifically versions 2.3.7.3-VA through 2.3.7.10-VA. Cisco confirmed that hardware appliances and AWS-based virtual appliances are not affected. At this time, there is no evidence of real-world exploitation, zero-day use, or public proof-of-concept code.
FortiWeb
“Patch immediately — attackers are actively exploiting FortiWeb flaws to take full control.”
This update for FortiWeb resolves several serious vulnerabilities — including two zero-days already used in real-world attacks.
The most critical issue is CVE-2025-64446 (CVSS 9.1), a path-traversal flaw that lets attackers bypass authentication and run admin-level commands on the appliance. Another exploited issue, CVE-2025-58034 (CVSS 6.7), allows OS-command injection by authenticated users.
Fortinet has released fixes in FortiWeb 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12. With multiple vulnerabilities exploited in the wild and PoC code circulating, timely patching is essential to prevent full system compromise.
PAN-OS Firewall
“A simple bad packet can take down your firewall — this update cuts that threat off at the source.”
This patch closes a critical denial-of-service vulnerability in PAN-OS firewalls where specially crafted packets could crash or significantly disrupt firewall operations. The flaw is tracked as CVE-2025-4619 (CVSS 6.6 with Medium Severity) and it allowed attackers to cause a DoS condition by sending malformed network packets. Because firewalls are often the first line of defense, successfully exploiting this could render a network undefended.
No evidence has emerged suggesting the flaw was used in the wild. However, proof-of-concept triggers were demonstrated internally, showing that an attacker with the ability to send network traffic to the firewall could cause interruption of service. Given the straightforward nature of triggering the issue, systems exposed to untrusted networks faced a substantial risk.
SolarWinds
“If your network-management tool has holes, everything it watches becomes the target.”
The vendor has issued a series of urgent security patches for its flagship products, including SolarWinds Web Help Desk, SolarWinds Platform (Orion), and SolarWinds Serv U. Among the fixed flaws are:
- A remote-code-execution vulnerability (CVE-2024-28986) in Web Help Desk, with a CVSS score of 9.8, Critical severity, that could allow attackers to execute arbitrary commands on the host.
- A patch-bypass vulnerability (CVE-2025-26399) targeting Web Help Desk 12.8.7 and earlier, also rated 9.8, Critical severity, enabling remote code execution through deserialization of untrusted data.
- A collection of high-severity issues in the Platform and Serv-U, including directory-traversal (CVE-2024-28995 CVSS 7.5, High severity), SWQL injection (CVE-2024-28996 – CVSS 7.5 High severity), race-condition bugs (CVE-2024-28999- CVSS 7.5 High severity), and stored XSS (CVE-2024-29004 – CVSS 7.1, High severity).
- A DOM-based reflected XSS in SWOSH (CVE-2025-26395 – CVSS 7.1, High severity).
- The Platform Self-Hosted 2025.1 update fixed a buffer-overflow vulnerability (CVE-2024-5535, CVSS 9.1, Critical severity) and other flaws in third-party components.
Because these tools are entrusted with monitoring, controlling, and automating large IT estates, any compromise of them can grant attackers visibility, control, or disruption across wide swathes of an organization’s infrastructure.
React / Next.js
“This patch shuts down a critical RCE pathway hiding inside routine server-component traffic.”
This update resolves a critical unauthenticated remote-code-execution flaw in the React Server Components (RSC) “Flight” protocol. The vulnerability stemmed from unsafe deserialization of “React Flight reply” payloads, allowing a malicious HTTP POST request to trigger execution of attacker-supplied JavaScript via Node.js’s execution context.
The primary identifier is CVE-2025-55182 (CVSS 10.0), which affects React’s “react-server” packages, including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. CVE-2025-66478 was later rejected as a duplicate but was initially issued due to downstream exposure in Next.js, where many deployments expose the vulnerable RSC endpoint by default. Because of this, the attack surface was broadly reachable and non-theoretical.
Although developers might not explicitly use server functions, many Next.js configurations automatically support RSC behavior, making unpatched environments susceptible to full server compromise. Updated versions of React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7) fully address the flaw.
Grafana Enterprise
“A malicious SCIM user can hijack your Admin account simply by choosing externalId = 1.”
This vulnerability (CVE-2025-41115) affects Grafana Enterprise (version 12.0.0 through 12.2.1) when SCIM provisioning is enabled and configured (enableSCIM = true and user_sync_enabled = true). A malicious or compromised SCIM client can submit a numeric externalId (e.g. “1”), which Grafana incorrectly maps to its internal user.uid value — potentially matching an existing privileged account (typically the Admin). That mis-mapping allows user impersonation and immediate privilege escalation without needing a password.
The flaw is rated Critical (CVSS 10.0) under a network-accessible, no-authentication, no-user-interaction exploit scenario. A working proof-of-concept exploit is publicly available. Organizations running affected Grafana Enterprise builds with SCIM turned on are at strong risk of full account take-over and should patch immediately.
Vitepos Point of Sale (POS) for WooCommerce
“A single uploaded file could turn your POS system into an attacker’s playground — this patch slams that door shut.”
This update fixes a Critical vulnerability in the Vitepos POS plugin for WooCommerce, tracked as CVE-2025-13156 with CVSS Score of 8.8 – High severity, where an attacker could upload arbitrary files to the server. Because the upload mechanism failed to properly validate file types and enforce security checks, an unauthenticated attacker could upload malicious files — including executable scripts — directly into the site’s filesystem.
The vulnerability allows a straightforward path to remote code execution, full site takeover, payment-data compromise, or malware deployment. A working proof-of-concept is available, demonstrating that exploitation only requires access to the affected upload endpoint, making exposed e-commerce environments especially vulnerable.
No confirmed in-the-wild exploitation has been reported, but the existence of easy-to-use PoC code means any unpatched store is at high risk.
WordPress
King Addons for Elementor – Privilege Escalation (CVE-2025-8489)
“A critical bug that lets anyone become administrator — no login, no password.”
An update to the King Addons for Elementor plugin addresses a critical flaw (CVE-2025-8489) in versions 24.12.92 through 51.1.14, where the plugin failed to properly restrict user-role assignments during registration. As a result, an unauthenticated attacker could register as an administrator and gain full control of the site (install plugins, modify content, exfiltrate data — full takeover). The flaw carried a CVSS score of 9.8, indicating critical risk. A patched version (beyond 51.1.14) is now available.
URL Image Importer – Arbitrary File Upload (CVE-2025-12138)
“Allowing a mid-level user to upload any file is asking for trouble.”
The URL Image Importer plugin — up to version 1.0.6 — suffers from CVE-2025-12138: insufficient file-type validation when importing images by URL. The plugin trusts the user-supplied HTTP Content-Type header and writes the file before validating. A user with Author-level (or higher) privileges could upload a malicious PHP shell instead of an image; if the server executes uploads, this could lead to remote code execution, full site compromise, or data exposure. The CVSS is 8.8 (High). A fixed version (≥ 1.0.7) was released.
Code Snippets – PHP Code Injection via Shortcode (CVE-2025-13035)
“One tiny shortcode — and a contributor becomes root.”
The Code Snippets plugin (≤ 3.9.1) is affected by CVE-2025-13035: a PHP code injection vulnerability stemming from use of the unsafe extract() function on untrusted shortcode attributes. An authenticated user (Contributor or above) could craft a [code_snippet] shortcode to overwrite internal file-path variables, and if the plugin’s “Enable file-based execution” setting is active and at least one content snippet exists, execute arbitrary PHP code on the server via require once. This flaw grants server-side code execution. CVSS is 8.0 (High). The issue is patched in version 3.9.2.
Fortinet FortiClientWindows
“Two flaws in FortiClientWindows could quietly hand attackers elevated access and sensitive data — this update shuts both doors fast.”
This FortiClientWindows update resolves two high-severity vulnerabilities that could allow attackers to gain elevated privileges or access sensitive information stored by the client.
CVE-2025-46373 addresses a privilege-escalation flaw caused by improper access controls within a core FortiClientWindows service. A local attacker could exploit the weakness to execute code with elevated permissions, potentially modifying system settings, installing persistence, or tampering with security controls. This vulnerability is rated High severity, reflecting its potential for full system impact when combined with local access.
CVE-2025-47761 fixes a sensitive data exposure issue involving insecure handling of configuration or session-related information. An attacker with local access could extract data that might include credentials, tokens, or other information useful for follow-on attacks. Although not as directly impactful as code execution, the exposure presents a meaningful risk when combined with privilege-escalation paths.
At this time, there are no reports of in-the-wild exploitation, and no public proof-of-concept code has been released. However, the nature of the vulnerabilities makes timely patching essential to prevent local attackers from chaining them for deeper compromise.
IBM
IBM Planning Analytics – Arbitrary Directory-Traversal (CVE-2025-36357)
“A remote attacker with credentials can walk through your files — every path is a potential breach.”
This vulnerability affects IBM Planning Analytics Local versions 2.1.0 through 2.1.14. An authenticated user can send a specially crafted URL containing absolute path sequences (e.g., “/etc/passwd” or “..\..\..\system32”) to view, read, or write arbitrary files on the system. The base CVSS v3.1 score is 8.0 (HIGH).
The underlying cause is CWE-36 (“Absolute Path Traversal”).
No confirmed public exploit or zero-day use is currently reported.
If you are using IBM Planning Analytics Local version 2.1.x up to 2.1.14, you should check whether your version includes the fix is contained in IBM Planning Analytics Local version 2.1.15, for this directory-traversal issue.
IBM Storage Virtualize – Arbitrary Information Disclosure in (CVE-2025-36118)
“A remote attacker can peek into memory and steal key data before you even know something’s wrong.”
This vulnerability affects the IBM Storage Virtualize family (versions 8.4, 8.5, 8.7 and 9.1) in its IKEv1 implementation. An attacker with no privileges, via the network, can initiate a Security Association negotiation and cause sensitive information from device memory to be disclosed. The CVSS v3.1 base score is 7.5 (HIGH).
The underlying weakness is classified as CWE-244 (“Improper Clearing of Heap Memory Before Release”).
At this time there is no publicly reported evidence of active exploitation in the wild.
IBM webMethods – Arbitrary Code Execution (CVE-2025-36072)
“A trusted, low-privilege user can hand you full system control simply by submitting a malicious object — the deserialization shortcut becomes a backdoor.”
This vulnerability affects IBM webMethods Integration (on-premises) versions 10.11 (up to Core Fix 22), 10.15 (up to Core Fix 22), and 11.1 (up to Core Fix 6). An authenticated user with network access and low privileges can exploit unsafe deserialization of object graphs (CWE-502) to execute arbitrary code on the system. The CVSS v3.1 base score is 8.8 (HIGH).
There are no publicly documented proof-of-concepts or observed active exploits as yet.
The underlying issue: the system accepts serialized Java objects from a user-controlled source, deserializes them without proper validation, and allows the attacker to inject malicious payloads.
Oracle
“A single malformed log request could let an attacker run their own code inside Oracle Fusion — this patch stops that cold.”
This update resolves a Critical vulnerability in Oracle Fusion’s logging component, tracked as CVE-2025-61757. The flaw allows an attacker with network access to send specially crafted logging data that triggers remote code execution within the affected Fusion service. Because the logging subsystem often runs with elevated privileges, a successful exploit could lead to full application takeover, unauthorized data access, or a foothold for broader compromise in integrated Oracle environments.
The issue is rated Critical with CVSS score of 9.8, reflecting both the ease of exploitation and the severity of impact. No confirmed real-world exploitation has been reported, but internal testing and security-research analysis have demonstrated that the flaw is exploitable under realistic conditions. No public proof-of-concept has been released, but the attack path is straightforward enough to make patching urgent.
GitLab
“A single malicious JSON request can knock out GitLab — no login, no credentials needed.”
This update addresses a high-severity Denial-of-Service vulnerability in GitLab CE/EE where an attacker can send a specially crafted JSON payload to crash the service without authentication. Tracked as CVE-2025-12571, the flaw holds a CVSS 7.5 (High) rating. It requires no user interaction, no privileges, and can be executed remotely with low complexity, making it a significant availability risk.
The issue affects GitLab CE/EE versions 17.10 up to (but not including) 18.4.5, 18.5 up to 18.5.3, and 18.6 up to 18.6.1. GitLab has released patches in versions 18.4.5, 18.5.3, and 18.6.1, which add proper validation for incoming JSON payloads and strengthen resource-handling logic to prevent service crashes.
Atlassian
“A single network request can knock Confluence offline — leaving users blocked from service.”
This High-severity Denial-of-Service vulnerability affects multiple versions of Atlassian Confluence Data Center and Server. Malicious requests can trigger excessive resource consumption, potentially making Confluence unavailable to all users. The issue carries a CVSS score of 8.3 (High).
The flaw was present across a broad range of releases. Atlassian has issued patched versions that resolve the underlying resource-handling weakness. Fixed builds include 8.5.25 and later, 9.2.7 and later, and 10.0.2 and later. There is currently no public indication of widespread real-world exploitation, no zero-day activity, and no released proof-of-concept code.
SonicWall
“One bad packet — and your firewall goes down.”
A new high-severity flaw, CVE-2025-40601, impacts the SSLVPN component in SonicWall SonicOS. This vulnerability is a stack-based buffer overflow that can be triggered remotely and without authentication, allowing an attacker to crash affected firewalls through a specially crafted SSLVPN request. The issue results in a Denial-of-Service condition that can interrupt perimeter security and halt VPN connectivity.
This vulnerability affects Gen7 and Gen8 SonicWall firewalls, both hardware and virtual, running older firmware versions (Gen7 ≤ 7.3.0-7012 and Gen8 ≤ 8.0.2-8011). The flaw carries a CVSS score of 7.5 (High). SonicWall reports no evidence of in-the-wild exploitation and no public Proof-of-Concept code at this time.
Patched firmware updates are available (Gen7: 7.3.1-7013 and newer; Gen8: 8.0.3-8011 and newer), fully addressing the vulnerability.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both OS and third-party software.
