Here are the CVE updates for the week of May 12th through the 18th.
CRITICAL SEVERITY VULNERABILITIES
Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability | CVE-2025-32756 (CISA KEV)
Description:
A critical stack-based buffer overflow vulnerability (CWE-121) impacts several Fortinet products, such as FortiVoice, FortiRecorder, FortiMail, FortiNDR, and FortiCamera. This issue results from improper handling of specially crafted hash cookies in HTTP requests. As a result, unauthenticated remote attackers can exploit the flaw to execute arbitrary code or commands, potentially leading to full system compromise.
Affected Versions:
- FortiVoice: 7.2.0, 7.0.0–7.0.6, 6.4.0–6.4.10
- FortiRecorder: 7.2.0–7.2.3, 7.0.0–7.0.5, 6.4.0–6.4.5
- FortiMail: 7.6.0–7.6.2, 7.4.0–7.4.4, 7.2.0–7.2.7, 7.0.0–7.0.8
- FortiNDR: 7.6.0, 7.4.0–7.4.7, 7.2.0–7.2.4, 7.0.0–7.0.6
- FortiCamera: 2.1.0–2.1.3, all versions of 2.0 and 1.1
Potential Impacts:
- Remote Code Execution: Attackers can run code with system-level privileges.
- System Compromise: Full unauthorized control of devices.
- Service Disruption: Crashes or denial-of-service (DoS) events.
- Lateral Movement: Attackers may infiltrate other systems on the network.
Mitigation Recommendations:
- Apply Patches: Install the latest firmware updates from Fortinet.
- Restrict HTTP Access: Use firewalls and segmentation to limit exposure.
- Monitor for Exploits: Check logs for abnormal or unauthorized requests.
- Enable Fortinet Security Features: Activate IPS and other security layers to detect and block attacks.
SAP NetWeaver Deserialization Vulnerability | CVE-2025-42999 (CISA KEV)
Description:
SAP NetWeaver Visual Composer’s Metadata Uploader contains a critical deserialization flaw. A privileged user could upload untrusted content, which—if improperly validated—may allow code execution on the host system. The core issue lies in insecure deserialization processes, putting the entire system’s confidentiality, integrity, and availability at risk.
Potential Impacts:
- Remote Code Execution: may be triggered if untrusted serialized data is processed without validation.
- System Compromise: is possible, especially if an attacker gains control over key application functions.
- Data Breach: when the deserialized content grants access to confidential resources.
- Service Disruption: affecting business operations and user access to critical systems.
Mitigation Recommendations:
- Apply Security Updates: Install SAP’s latest patches.
- Restrict Upload Access: Allow only trusted users to upload metadata.
- Validate Input: Enforce strict checks on serialized data.
- Monitor User Behavior: Audit uploads and investigate suspicious activity.
HIGH SEVERITY VULNERABILITIES
Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability | CVE-2025-32709 (CISA KEV): A use-after-free vulnerability has been identified in the Windows Ancillary Function Driver for WinSock. This flaw allows a locally authenticated attacker to elevate privileges on the affected system. The vulnerability arises when the driver mishandles memory during specific operations, leading to the potential reuse of freed memory pointers. Successful exploitation could allow the attacker to execute code with elevated privileges.
Microsoft Windows Scripting Engine Type Confusion Vulnerability | CVE-2025-30397 (CISA KEV): A type confusion vulnerability exists in the Microsoft Scripting Engine, where resources are accessed using an incompatible type. This flaw can be exploited by an unauthorized remote attacker to execute arbitrary code. The vulnerability is triggered when crafted data is processed by the scripting engine, leading to memory corruption. This could allow the attacker to gain control of the affected system.
Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability | CVE-2025-32706 (CISA KEV): A vulnerability in the Windows Common Log File System (CLFS) Driver stems from improper input validation, allowing a locally authenticated attacker to escalate privileges. By sending specially crafted input to the driver, an attacker can exploit this flaw to gain elevated permissions, potentially achieving SYSTEM-level access. This vulnerability is particularly critical on systems where unprivileged users have local access.
Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability | CVE-2025-32701 (CISA KEV): A use-after-free vulnerability exists in the Windows Common Log File System (CLFS) Driver, which allows a locally authenticated attacker to elevate privileges. By exploiting the flaw in memory handling, the attacker may trigger a use-after-free condition that enables arbitrary code execution with SYSTEM-level privileges. This poses a significant risk on systems where attackers can gain local access.
Microsoft Windows DWM Core Library Use-After-Free Vulnerability | CVE-2025-30400(CISA KEV): A use-after-free vulnerability has been identified in the Windows Desktop Window Manager (DWM). This flaw allows a locally authenticated attacker to exploit improper memory handling in DWM to execute code with elevated privileges. By triggering the vulnerability through specific interactions with the system, the attacker may achieve privilege escalation, gaining SYSTEM-level access.
MEDIUM SEVERITY VULNERABILITIES
TeleMessage TM SGNL Hidden Functionality Vulnerability: | CVE-2025-47729 (CISA KEV): A critical vulnerability in the TeleMessage archiving backend (through 2025-05-05) enables the storage of TM SGNL (also known as Archive Signal) messages in unencrypted cleartext. Although the vendor claims that communication is end-to-end encrypted “from the mobile phone through to the corporate archive,” the backend stores messages in plain text instead.
DrayTek Vigor Routers OS Command Injection Vulnerability: | CVE-2024-12987 (CISA KEV): A critical command injection vulnerability affects DrayTek Vigor2960 and Vigor300B routers running firmware version 1.5.1.4. The issue lies in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint of the Web Management Interface. Specifically, improper input validation of the session parameter enables remote attackers to inject and execute arbitrary OS commands.
Google Chromium Loader Insufficient Policy Enforcement Vulnerability: | CVE-2025-4664(CISA KEV): A high-severity vulnerability in Google Chrome’s Loader component affects versions prior to 136.0.7103.113. Due to insufficient enforcement of cross-origin security policies, remote attackers could exploit this flaw to access sensitive cross-origin data.