Karl.Fail

Tag: cve

  • CVE-2025-21307: Critical Remote Code Execution in Windows RMCAST Driver

    Overview

    Microsoft disclosed a critical vulnerability identified as CVE-2025-21307 in the Windows Reliable Multicast Transport (RMCAST) driver on January 14, 2025. This vulnerability allows remote code execution and affects a broad range of Windows versions, including Windows 10, 11, and multiple Windows Server editions. With a CVSS v3.1 base score of 9.8, it is classified as Critical.

    Technical Details

    The root cause of this vulnerability is a Use After Free flaw, classified under CWE-416. This type of issue arises when a program continues to use memory after it has been freed, potentially allowing attackers to execute arbitrary code with kernel-level privileges. RMCAST, as a low-level driver responsible for multicast traffic, becomes a dangerous attack surface when such flaws are present.

    CVSS and Risk Analysis

    According to the CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, this vulnerability is:

    • Remotely exploitable over the network
    • Low complexity to exploit
    • No privileges or user interaction required
    • High impact on confidentiality, integrity, and availability

    The CISA Stakeholder-Specific Vulnerability Categorization (SSVC) assessment noted the potential for automated exploitation and described the technical impact as total.

    Affected Systems

    The vulnerability affects a wide set of Windows versions, including:

    • Windows 10 (1507, 1607, 1809, 21H2, 22H2)
    • Windows 11 (22H2, 23H2, 24H2)
    • Windows Server (2008 SP2, 2008 R2, 2012, 2016, 2019, 2022, 2025)

    Mitigation and Recommendations

    Microsoft has released patches addressing the flaw. To mitigate the risk, administrators should:

    • Apply the latest security updates immediately
    • Implement strict network segmentation and firewall policies
    • Audit multicast usage and disable RMCAST if not required

    Example minimum safe versions include:

    • Windows 10 Version 1809: 10.0.17763.6775 or later
    • Windows Server 2022: 10.0.20348.3091 or later
    • Windows 11 22H2: 10.0.22621.4751 or later

    Conclusion

    CVE-2025-21307 presents a critical risk due to its remote exploitability, lack of prerequisites, and broad impact across Windows ecosystems. Timely patching and proactive mitigation strategies are essential to secure systems against this vulnerability.

    Read the full advisory on the Microsoft Security Update Guide.

  • CVE-2025-21307: Critical Remote Code Execution in Windows RMCAST Driver

    Overview

    On January 14, 2025, Microsoft disclosed CVE-2025-21307, a critical vulnerability in the Windows Reliable Multicast Transport (RMCAST) driver that enables remote code execution. With a CVSS v3.1 base score of 9.8, this vulnerability poses a severe threat to numerous supported and legacy Windows systems.

    Technical Details

    The issue stems from a Use After Free vulnerability, classified as CWE-416. This occurs when a program continues to use a pointer after it has been freed, allowing an attacker to exploit the dangling pointer to execute arbitrary code within the kernel space. Given that RMCAST operates at a low-level networking layer, this provides an attacker significant control over system behavior once exploited.

    The vulnerability affects a wide range of Windows versions, including:

    • Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
    • Windows 11 (versions 22H2, 23H2, 24H2)
    • Windows Server (2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2025)

    Exploitation does not require authentication or user interaction, and the attack can be carried out over the network, making it highly dangerous in unsegmented or exposed environments.

    Impact

    According to the CVSS v3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), this vulnerability allows:

    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

    The vulnerability is not known to be exploited in the wild at the time of disclosure, and Microsoft has issued updates to remediate the issue. The CISA SSVC analysis classified this flaw as having a total technical impact with the potential for automated exploitation, emphasizing the urgency for mitigation.

    Mitigation and Recommendations

    Microsoft has released patches through its regular update channels. All affected systems should be updated immediately to versions beyond:

    • 10.0.17763.6775 (Windows 10 Version 1809)
    • 10.0.20348.3091 (Windows Server 2022)
    • 10.0.22621.4751 (Windows 11 22H2)

    System administrators are encouraged to:

    • Deploy patches as soon as possible.
    • Use network segmentation and firewalls to reduce the attack surface.
    • Audit multicast traffic and disable RMCAST if not in use.

    Conclusion

    CVE-2025-21307 represents a serious risk due to its low complexity, remote exploitability, and severe impact. With broad applicability across many supported and end-of-life systems, proactive patching is essential. Organizations should prioritize this vulnerability and monitor vendor advisories for ongoing updates.

    For further information, visit the official Microsoft advisory.

  • CVE-2025-4641: Critical XXE Vulnerability in WebDriverManager

    Overview

    A critical vulnerability identified as CVE-2025-4641 has been discovered in WebDriverManager, an open-source Java library by bonigarcia widely used to automate the management of WebDriver binaries in Selenium-based projects. This issue affects versions from 1.0.0 up to but not including 6.0.2 across Windows, MacOS, and Linux platforms.

    Vulnerability Details

    The vulnerability is categorized as an Improper Restriction of XML External Entity Reference (CWE-611), commonly known as an XXE Injection. It allows attackers to exploit XML parsing components in the affected modules, potentially triggering uncontrolled external entity resolution.

    Specifically, the vulnerability resides in the file WebDriverManager.java, where XML inputs are processed without adequately restricting external entities. This can result in the exposure of sensitive information, denial of service (billion laughs attack), or interaction with internal systems.

    Technical Breakdown

    • CVSS v4.0 Base Score: 9.3 (Critical)
    • Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High Availability and Confidentiality, Low Integrity

    Impacts and Exploitation

    This vulnerability enables attackers to send malicious XML payloads to the system, potentially causing:

    • Denial of service via entity expansion attacks
    • Disclosure of internal file contents or environment variables
    • Interaction with internal systems behind firewalls

    According to CAPEC-221, this class of vulnerability involves Data Serialization External Entities Blowup.

    Affected Versions

    All versions of webdrivermanager from 1.0.0 up to 6.0.1 are affected. The vulnerability is patched in version 6.0.2.

    Mitigation and Recommendations

    • Upgrade to WebDriverManager version 6.0.2 or later.
    • Review XML processing configurations and disable external entity processing explicitly.
    • Conduct code audits for custom XML parsers in your Java environment.
    • Apply defense-in-depth practices such as input validation and access controls.

    Conclusion

    CVE-2025-4641 highlights the persistent risks of insecure XML parsing. Development teams should stay vigilant when handling structured data formats like XML and ensure that secure parser configurations are enforced by default. For more technical insights, refer to the related GitHub pull request.

  • Critical Authorization Vulnerability in Adobe Commerce (CVE-2025-24434)

    Overview

    A critical vulnerability identified as CVE-2025-24434 has been discovered in Adobe Commerce. This flaw involves incorrect authorization logic and allows attackers to escalate privileges and take over sessions. Exploitation does not require user interaction and has severe confidentiality and integrity implications.

    Vulnerability Details

    This vulnerability is categorized under CWE-863: Incorrect Authorization. Affected Adobe Commerce versions do not properly enforce authorization controls, allowing unauthorized users to gain access to protected resources or perform privileged actions.

    Technical Breakdown

    • CVSS v3.1 Base Score: 9.1 (Critical)
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Confidentiality & Integrity Impact: High
    • Availability Impact: None

    Affected Versions

    The vulnerability affects Adobe Commerce versions up to and including:

    • 2.4.8-beta1
    • 2.4.7-p3
    • 2.4.6-p8
    • 2.4.5-p10
    • 2.4.4-p11 and earlier

    Impact

    If successfully exploited, attackers can escalate privileges, perform session takeovers, and gain unauthorized access to sensitive systems and data, significantly affecting business operations and user trust.

    Mitigation and Recommendations

    • Apply the latest Adobe Commerce patches immediately.
    • Review and tighten access control policies and session management configurations.
    • Monitor authentication and authorization logs for signs of exploitation.

    References

    For further information, consult the Adobe Security Bulletin.

  • Authentication Bypass in PAM-PKCS#11 due to Weak Default `cert_policy` Setting

    Overview

    CVE-2025-24032 identifies a critical vulnerability in PAM-PKCS#11, a Linux-PAM module enabling X.509 certificate-based authentication.

    Technical Details

    The vulnerability, classified under CWE-287: Improper Authentication, arises when cert_policy is set to none (default). In such cases, pam_pkcs11 validates only that a user can log into a token—without requiring private key signature verification.

    This means an attacker can craft a token using a victim’s public certificate and a known PIN. Since no signature is required, the attacker can bypass authentication and gain unauthorized access.

    Severity and CVSS

    • CVSS 4.0 Base Score: 9.2 (Critical)
    • Vector: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

    Affected Versions

    All versions prior to pam_pkcs11-0.6.13 are impacted.

    Mitigation and Recommendations

    • Upgrade to version 0.6.13 immediately.
    • In pam_pkcs11.conf, set cert_policy = signature; explicitly to enforce private key verification.

    Conclusion

    This vulnerability demonstrates the dangers of insecure default configurations. Ensuring that authentication relies on proper cryptographic verification is critical for maintaining secure login workflows.

    For more technical details and mitigation steps, refer to the official GitHub advisory.

  • Critical Deserialization Vulnerability in Adobe ColdFusion (CVE-2025-24447)

    Overview

    A critical vulnerability, identified as CVE-2025-24447, has been disclosed in Adobe ColdFusion, affecting versions 2025.0, 2023.12, 2021.18, and earlier. The vulnerability results from the deserialization of untrusted data and could allow attackers to execute arbitrary code within the context of the current user. No user interaction is required to exploit this issue, making it particularly dangerous.

    Technical Details

    This vulnerability is classified under CWE-502: Deserialization of Untrusted Data. When an application deserializes data without verifying its source or integrity, it becomes vulnerable to malicious payloads embedded in serialized objects. In this case, ColdFusion may deserialize crafted input from an attacker, leading to code execution.

    The vulnerability is accessible via network and requires no authentication or user interaction. The impact is significant, particularly to confidentiality and integrity, though availability is not directly affected.

    CVSS v3.1 Vector

    • Base Score: 9.1 (Critical)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    • Attack Vector: Network
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Confidentiality/Integrity Impact: High

    Affected Versions

    • Adobe ColdFusion 2025.0 and earlier
    • Adobe ColdFusion 2023.12
    • Adobe ColdFusion 2021.18

    Mitigation and Recommendations

    Adobe has released security patches as part of its April 2025 Security Bulletin. All organizations using affected versions of ColdFusion should:

    • Apply the security updates immediately
    • Audit ColdFusion applications for unexpected behavior or access
    • Restrict input sources and validate data formats rigorously

    Conclusion

    CVE-2025-24447 highlights the persistent risks posed by insecure deserialization practices in web applications. Given its ease of exploitation and critical impact, this vulnerability demands urgent attention and immediate remediation.

    For more information, refer to the Adobe Security Bulletin.

  • Critical Improper Input Validation Vulnerability in Adobe ColdFusion (CVE-2025-24446)

    Overview

    Adobe ColdFusion has been found vulnerable to an Improper Input Validation issue, tracked as CVE-2025-24446. This vulnerability affects ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier. Exploitation allows an attacker with administrative privileges to execute arbitrary code remotely without any user interaction.

    Technical Details

    This flaw is categorized under CWE-20: Improper Input Validation. The core issue lies in the failure to properly sanitize input data, which can be exploited to execute arbitrary code within the context of the application. Although user interaction is not required, admin panel privileges are necessary to leverage this vulnerability.

    CVSS Score and Severity

    According to the CVSS v3.1 scoring system, this vulnerability has a base score of 9.1, labeled as Critical. The CVSS vector is:

    • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
    • Impact on Confidentiality, Integrity, Availability: High

    Affected Versions

    • Adobe ColdFusion 2025.0 and earlier
    • Adobe ColdFusion 2023.12
    • Adobe ColdFusion 2021.18

    Mitigation and Recommendations

    Adobe has released updates to address this vulnerability. Organizations using affected versions should:

    • Apply the latest ColdFusion security updates immediately.
    • Restrict administrative access to trusted users and internal networks only.
    • Monitor ColdFusion servers for unusual behavior or unauthorized access.

    Conclusion

    CVE-2025-24446 highlights the ongoing importance of input validation in web applications. Despite the need for admin privileges, the lack of user interaction combined with the critical severity makes this a high-priority issue for all ColdFusion users.

    For more details, refer to the Adobe Security Bulletin.

  • Critical RCE Vulnerability in Tauri Plugin Shell (CVE-2025-31477)

    Overview

    A critical security vulnerability, identified as CVE-2025-31477, has been discovered in the Tauri Plugin Shell, specifically affecting the open endpoint. This flaw allows improper scope validation, enabling the execution of dangerous protocols that can lead to remote code execution (RCE).

    Technical Details

    The vulnerability is rooted in CWE-20: Improper Input Validation. In affected versions prior to 2.2.1, the open endpoint fails to properly restrict supported protocols. Although it was intended to only permit safe protocols like https:// or mailto:, it mistakenly allowed others such as file://, smb://, or nfs://. When untrusted user input is passed to this endpoint, these protocols may be triggered, allowing arbitrary file access or command execution through the system’s registered protocol handler.

    Severity and Exploitation

    The vulnerability has a CVSS 4.0 base score of 9.3 (Critical), reflecting its high potential impact:

    • Attack Vector: Network
    • Privileges Required: None
    • User Interaction: None
    • Impact: High (Confidentiality, Integrity, Availability)

    This issue can be exploited either by exposing the vulnerable endpoint to users directly or by executing malicious code in the frontend of a Tauri application.

    Affected Versions

    • All versions of tauri-plugin-shell prior to 2.2.1

    Mitigation and Recommendations

    This vulnerability has been fixed in version 2.2.1. It is strongly recommended that all users of the Tauri shell plugin:

    • Upgrade to v2.2.1 or later immediately
    • Restrict usage of the open endpoint to trusted inputs
    • Audit frontend code to avoid execution of user-controlled inputs

    References

  • Code Injection Vulnerability in SAP Landscape Transformation (SLT)

    Overview

    CVE-2025-31330 is a critical vulnerability in SAP Landscape Transformation (SLT), specifically affecting the Analysis Platform component. The flaw enables authenticated users to inject arbitrary ABAP code into the system through a remotely exposed RFC function module. The vulnerability bypasses key authorization checks, effectively acting as a backdoor and posing significant risk to system confidentiality, integrity, and availability.

    Technical Details

    The vulnerability is categorized under CWE-94: Improper Control of Generation of Code (‘Code Injection’). It exists due to the improper validation of input passed to a function module accessible over RFC. Users with limited privileges can exploit this flaw to execute arbitrary code, thereby escalating privileges and compromising the SAP environment.

    The vulnerability is remotely exploitable without user interaction and impacts systems configured with affected SLT versions. The attack can result in:

    • Unauthorized execution of ABAP code
    • Bypassing of critical authorization mechanisms
    • Complete takeover of the affected SAP system

    CVSS Score and Vector

    Base Score: 9.9 (Critical)
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    This vector indicates a network-based attack with low complexity, requiring only low privileges, and affecting multiple security domains (scope changed).

    Affected Products

    • SAP Landscape Transformation (Analysis Platform)
      Versions: DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731

    Mitigation and Recommendations

    SAP has addressed this vulnerability in its April 2025 Security Patch Day. Organizations using the affected SLT versions should:

    • Apply SAP Note 3587115 immediately
    • Restrict RFC access to trusted users and IP ranges
    • Audit RFC-enabled function modules and related authorizations
    • Monitor systems for unusual ABAP code executions or privilege escalations

    Conclusion

    CVE-2025-31330 is a critical reminder of the risks posed by improperly secured remote function modules in enterprise software. Given the potential for full system compromise, prompt remediation is essential.

  • CVE-2025-31324: Critical File Upload Vulnerability in SAP NetWeaver Visual Composer

    Overview

    CVE-2025-31324 exposes a critical vulnerability in SAP NetWeaver Visual Composer development server, specifically in the Metadata Uploader component. The flaw enables unauthenticated attackers to upload malicious binaries without proper authorization, resulting in potential full compromise of the host system.

    Technical Details

    This vulnerability arises due to a missing authorization check (CWE-434: Unrestricted Upload of File with Dangerous Type). The Metadata Uploader allows file submissions without verifying the origin or privileges of the request. Consequently, an attacker can send specially crafted executable files over HTTP, leading to remote code execution, data breaches, or system outages.

    CVSS Score and Vector

    • Base Score: 10.0 (Critical)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
    • Impact: High (Confidentiality, Integrity, Availability)

    Affected Product

    • SAP NetWeaver (Visual Composer development server), Version: VCFRAMEWORK 7.50

    Mitigation and Recommendations

    SAP has issued security patches addressing this vulnerability in its April 2025 Security Patch Day. Organizations using affected systems should:

    • Apply the latest SAP patches immediately.
    • Restrict network access to the Visual Composer development server.
    • Audit access logs for signs of unauthorized file uploads.
    • Review and enforce strict authorization policies on all upload mechanisms.

    Active Exploitation

    Reports confirm that this vulnerability is under active exploitation in the wild. Security teams should treat this as a high-priority incident and verify whether their environments show any indication of compromise.

    For further details, consult the following resources: