Here are the CVE updates for the week of June 2nd through the 8th.
🔴 Critical Severity Vulnerabilities
ASUS Routers Improper Authentication Vulnerability | CVE-2021-32030 (CISA KEV)
Description: A critical authentication bypass vulnerability was identified in the administrator interface of ASUS GT-AC2900 devices prior to firmware version 3.0.0.4.386.42643 and Lyra Mini devices prior to 3.0.0.4_384_46630. This issue stems from the improper processing of null (\0) characters in functions such as handle_request and auth_check, which can result in unauthorized access. By exploiting this flaw, an attacker may match default system values and gain access to admin controls. Notably, all unsupported (EOL) versions of Lyra Mini are also vulnerable.
Potential Impacts:
- Unauthorized Access: Administrative controls may be obtained without valid credentials.
- Configuration Manipulation: Security settings could be altered or disabled.
- Network Compromise: Full admin rights may enable broader network attacks.
- Data Exposure: Sensitive data such as credentials or traffic could be leaked.
Mitigation Recommendations:
- Firmware Upgrade: Apply firmware version 3.0.0.4.386.42643 or later.
- Disable Remote Access: Prevent external exploitation by disabling WAN management.
- Device Replacement: Replace unsupported Lyra Mini devices.
- Network Segmentation: Restrict admin interfaces to internal networks.
- Monitor Access Logs: Continuously review logs for unusual access patterns.
🟠 High Severity Vulnerabilities
ConnectWise ScreenConnect Improper Authentication Vulnerability | CVE-2025-3935 (CISA KEV)
ScreenConnect versions 25.2.3 and earlier are susceptible to ViewState code injection due to ASP.NET Web Forms behavior. If machine keys are compromised, malicious ViewState data may be used to execute remote code. The issue was mitigated in version 2025.4 by disabling ViewState completely.
ASUS RT-AX55 Routers OS Command Injection Vulnerability | CVE-2023-39780 (CISA KEV)
Firmware version 3.0.0.4.386.51598 of the ASUS RT-AX55 router contains a command injection flaw in the /start_apply.htm endpoint. Improper input sanitization of the qos_bw_rulelist parameter allows command execution with elevated privileges.
Qualcomm Chipsets Authorization Vulnerabilities | CVE-2025-21479 & CVE-2025-21480 (CISA KEV):
Two memory corruption vulnerabilities affect Qualcomm GPU micronodes. These are triggered by unauthorized command sequences that bypass proper validation, potentially leading to privilege escalation or system instability.
Qualcomm Adreno GPU Use-After-Free | CVE-2025-27038 (CISA KEV)
A vulnerability in Adreno GPU drivers can be triggered during Chrome-based rendering tasks. If exploited, attackers may execute code or crash the browser through crafted web content.
Google Chromium V8 Memory Corruption | CVE-2025-5419 (CISA KEV)
The V8 JavaScript engine in Chrome (prior to 137.0.7151.68) has an out-of-bounds read/write vulnerability. This issue enables attackers to corrupt memory and execute arbitrary code when a user visits a malicious site.
🟡 Medium Severity Vulnerabilities
Craft CMS Remote Code Execution | CVE-2024-56145 & CVE-2025-35939 (CISA KEV)
Craft CMS installations with register_argc_argv enabled are vulnerable to remote code execution. The flaws introduce an attack vector that may be exploited remotely if this PHP setting is active. Affected users should update to versions 3.9.14, 4.13.2, or 5.5.2.