Here are the CVE updates for the week of May 26th through June 1st.
🔴 Critical Severity Vulnerabilities
Remote Code Execution and Authentication Bypass in Evertz SDVN 3080ipx-10G | CVE-2025-4009
Description: A critical vulnerability affects the Evertz SDVN 3080ipx-10G, a high-bandwidth Ethernet switching device used in professional video applications. The web management interface, exposed on port 80 and built with the PHP-based webEASY SDK (ewb), contains two exploitable flaws. First, attackers can bypass the authentication mechanism. Second, two endpoints within the interface are vulnerable to arbitrary command injection. These combined issues allow remote, unauthenticated attackers to gain root-level access and execute commands.
Potential Impacts:
- Remote Code Execution: Attackers can run arbitrary commands as root without prior authentication.
- Authentication Bypass: The login system can be defeated, granting full administrative privileges.
- Media Service Disruption: Attackers may interrupt, hijack, or corrupt live media streams and captioning output.
- Unauthorized System Modification: Malicious users can change system configurations, license settings, or networking parameters.
Mitigation Recommendations:
- Restrict Access: Only permit access to the web interface from trusted internal networks.
- Apply Vendor Patch: Reach out to Evertz for firmware updates or official mitigation steps.
- Segment Networks: Isolate media switching equipment from other segments to minimize risk.
- Monitor Logs: Consistently review system and web server logs for signs of intrusion or command execution.
SQL Injection in Navidrome /api/artist Endpoint | CVE-2025-48949
Description: Navidrome, an open-source music streaming server, suffers from a SQL injection flaw in versions 0.55.0 through 0.55.2. The issue stems from improper input validation of the role parameter in the /api/artist endpoint. A remote attacker can send crafted input that is injected into SQL queries, potentially gaining unauthorized access to backend data. This vulnerability is patched in version 0.56.0.
Potential Impacts:
- Data Exposure: Attackers can extract sensitive user information from the database.
- Data Manipulation: Malicious users may alter or delete database content.
- Authentication Bypass: Gaining access to or changing credentials could allow system access.
- Service Disruption: Crafted queries may crash or destabilize backend services.
Mitigation Recommendations:
- Upgrade to v0.56.0: The vulnerability is resolved in this version.
- Sanitize Inputs: Validate all API parameters to prevent injection.
- Audit Logs: Regularly check logs for suspicious queries or errors.
- Harden Database Access: Minimize privileges to reduce risk exposure.
🟠 High Severity Vulnerabilities
Incorrect Authorization in FortiClient for Mac | CVE-2025-25251
A privilege escalation issue was found in FortiClient for Mac, affecting versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, and 7.0.0 through 7.0.14. Because the app does not validate interprocess communication (XPC) messages properly, a local attacker could use specially crafted messages to gain elevated privileges.
Denial-of-Service via Malicious HTTP Header | CVE-2025-41653
Security analysts discovered a denial-of-service flaw in an undisclosed web server. An unauthenticated remote user can send a malformed HTTP request that crashes the service, thereby disrupting access.
Out-of-Bounds Write in V8 Engine in Chrome | CVE-2025-5280
Google Chrome (prior to version 137.0.7151.55) contains a memory handling flaw in the V8 JavaScript engine. When users visit a malicious HTML page, it may cause heap corruption and potentially allow attackers to execute arbitrary code.
🟡 Medium Severity Vulnerabilities
Incorrect Access Control in M2Soft CROWNIX Report & ERS | CVE-2024-57336
A flaw in M2Soft CROWNIX Report & ERS (versions 7.x through 7.4.3.599 and 8.x through 8.0.3.79) allows unauthorized attackers to access the Administrator account due to improper enforcement of user permissions. This could enable privilege escalation through authentication bypass.
Use-After-Free in libvpx in Chrome | CVE-2025-5283
This flaw, found in libvpx (used in VP8/VP9 video decoding), may be exploited by remote attackers through crafted HTML pages. If successful, it could lead to heap corruption.
Use-After-Free in libvpx in Chrome | CVE-2025-5295
Similar to CVE-2025-5283, this vulnerability also impacts libvpx in Chrome prior to version 137.0.7151.55. Attackers may exploit this issue to trigger memory corruption and possibly escalate control, depending on system conditions.