Security Vulnerabilities - Known exploited
CVE-2025-21335
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.8
EPSS Score
0.048
Published
2025-01-14
CVE-2024-13159
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Known exploited
CVSS Score
9.8
EPSS Score
0.939
Published
2025-01-14
CVE-2024-13160
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Known exploited
CVSS Score
9.8
EPSS Score
0.92
Published
2025-01-14
CVE-2024-13161
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Known exploited
CVSS Score
9.8
EPSS Score
0.897
Published
2025-01-14
CVE-2024-55591
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Known exploited
CVSS Score
9.8
EPSS Score
0.941
Published
2025-01-14
CVE-2024-53704
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
Known exploited
CVSS Score
9.8
EPSS Score
0.938
Published
2025-01-09
CVE-2025-0282
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Known exploited
CVSS Score
9.0
EPSS Score
0.941
Published
2025-01-08
CVE-2024-50603
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Known exploited
CVSS Score
10.0
EPSS Score
0.944
Published
2025-01-08
CVE-2024-12987
A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.
Known exploited
CVSS Score
7.3
EPSS Score
0.811
Published
2024-12-27
CVE-2024-53197
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices
A bogus device can provide a bNumConfigurations value that exceeds the
initial value used in usb_get_configuration for allocating dev->config.
This can lead to out-of-bounds accesses later, e.g. in
usb_destroy_configuration.
Known exploited
CVSS Score
7.8
EPSS Score
0.018
Published
2024-12-27