Here are the CVE updates for the week of April 7th through the 13th.
CRITICAL SEVERITY VULNERABILITIES
CrushFTP Authentication Bypass Vulnerability | CVE-2025-31161 (CISA KEV)
Description: CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1 contain an authentication bypass flaw that lets unauthenticated attackers gain admin access to the crushadmin account. The issue involves a race condition in login_user_pass() and improper session validation in the AWS4-HMAC mechanism. By sending a crafted header without the required SignedHeaders, attackers can trigger an index-out-of-bounds error that skips session cleanup, leading to unauthorized access. This vulnerability has been exploited in the wild and can result in full system compromise.
Potential Impacts:
- Administrative Account Takeover: Attackers can impersonate the crushadmin user.
- Full System Compromise: With admin access, attackers can manipulate configurations and access sensitive data.
- Privilege Escalation: Allows elevation of access rights across the application.
- Service Abuse: Unauthorized control of the FTP service may enable data exfiltration or system manipulation.
Mitigation Recommendations:
- Update CrushFTP Immediately: Upgrade to version 10.8.4 or 11.3.1 to address the vulnerability.
- Enable DMZ Proxy: Using a DMZ proxy instance mitigates unauthenticated access to the HTTP(S) port.
- Restrict Port Access: Limit public access to management interfaces via firewall or IP restrictions.
- Monitor Logs: Review authentication and access logs for suspicious activity, especially targeting crushadmin.
Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability | CVE-2025-30406 (CISA KEV)
Description: Gladinet CentreStack versions through 16.1.10296.56315 are vulnerable to remote code execution due to a hardcoded machineKey in the portal configuration. Attackers with knowledge of this key can craft malicious serialized payloads that are deserialized by the server. This flaw was actively exploited in March 2025 and patched in version 16.4.10315.56368. As a mitigation, admins can manually remove the machineKey from portal\web.config.
Potential Impacts:
- Remote Code Execution: Attackers may execute arbitrary code on the server by exploiting insecure deserialization.
- Full System Compromise: Exploiting this vulnerability could lead to complete control of the application and host.
- Data Breach: Unauthorized access to sensitive user and system data is possible.
- Persistence: Exploited systems may be used to deploy persistent backdoors or additional malware.
Mitigation Recommendations:
- Upgrade to Patched Version: Update CentreStack to version 16.4.10315.56368 or later to close the vulnerability.
- Remove Hardcoded Keys: Manually delete the machineKey in portal\web.config if upgrading is not immediately possible.
- Restrict Access: Limit access to CentreStack servers to trusted networks and authenticated users only.
- Monitor for Indicators of Compromise: Review logs for signs of unauthorized activity or exploitation attempts.
- Apply Web Application Firewall (WAF) Rules: Use a WAF to detect and block suspicious serialized payloads.
HIGH SEVERITY VULNERABILITIES
Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability | CVE-2025-29824 (CISA KEV): A use-after-free vulnerability in the Windows CLFS driver allows a local attacker with valid credentials to exploit memory mismanagement, potentially leading to arbitrary code execution or privilege escalation. Successful exploitation can compromise system integrity and security.
Linux Kernel Out-of-Bounds Read Vulnerability | CVE-2024-53150 (CISA KEV): A flaw in the ALSA USB-audio driver in the Linux kernel allows out-of-bounds reads due to missing validation of the bLength field in USB audio descriptors. Malformed descriptors with insufficient length can cause the driver to read beyond buffer boundaries, potentially leading to kernel instability. A patch now ensures proper length checks during descriptor parsing.
Linux Kernel Out-of-Bounds Access Vulnerability | CVE-2024-53197 (CISA KEV): A flaw in the Linux kernel’s ALSA USB-audio driver allows out-of-bounds memory access when handling USB devices like Extigy and Mbox with invalid bNumConfigurations values. This can occur if a device reports more configurations than the buffer can hold, affecting operations like usb_destroy_configuration and risking system stability. The issue is fixed in recent kernel updates with improved bounds checking.
MEDIUM SEVERITY VULNERABILITIES
Palo Alto Networks PAN-OS Unauthorized Access to Decrypted HTTP/2 Data | CVE-2025-0123: A vulnerability in PAN-OS allows authenticated administrators without a Decryption Port Mirror license to access decrypted HTTP/2 traffic via the packet capture feature. Normally, this license restricts such access to ensure secure handling of decrypted data. The issue only affects HTTP/2 streams and requires admin access to the management interface (web, SSH, console, or telnet). Prisma Access and Cloud NGFW are not affected, as packet capture access is limited to authorized Palo Alto Networks personnel.
Privilege Escalation via Race Condition in Palo Alto Networks GlobalProtect App for Windows | CVE-2025-0120: A vulnerability in the privilege management mechanism of the Palo Alto Networks GlobalProtect™ app for Windows allows a locally authenticated non-administrative user to escalate privileges to NT AUTHORITY\SYSTEM. The flaw stems from a race condition during privilege handling. While successful exploitation could result in full system control, the requirement to reliably trigger the race condition significantly raises the complexity and lowers the likelihood of exploitation.
HedgeDoc Stored XSS via Malicious SVG Upload | CVE-2025-32391: HedgeDoc versions before 1.10.3 are vulnerable to stored XSS through malicious SVG uploads. When such a file is opened in a new browser tab—especially via GitHub Gist embedding—it can exploit JSONP callbacks to execute arbitrary scripts. The issue only affects instances that serve uploaded files from the same domain or use the local filesystem as the upload backend.
Missing Authorization Vulnerability in Brizy Pro | CVE-2025-26901: A missing authorization vulnerability has been identified in Brizy Pro versions up to and including 2.6.1. The flaw stems from improperly configured access control, allowing unauthorized users to access and interact with restricted functions within the plugin. Without proper verification of user privileges, attackers can potentially perform actions reserved for higher-level roles, such as administrators or editors.