Here are the CVE updates for the week of September 1st through the 7th.
🔴 Critical Severity Vulnerabilities
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability (CISA KEV) | CVE-2025-53690
Description:
Attackers can exploit a deserialization of untrusted data vulnerability in Sitecore Experience Manager (XM) through version 9.0 and Sitecore Experience Platform (XP) through version 9.0. Because the application improperly handles serialized objects, an attacker can craft malicious payloads and trigger arbitrary code execution. As a result, they can compromise the Sitecore instance and run system-level commands.
Potential Impacts:
- Remote Code Execution (RCE): Attackers execute arbitrary code on the target host.
- Application Takeover: They gain full control of the Sitecore environment, disrupting websites and services.
- Data Exfiltration: Attackers steal sensitive information from the Sitecore platform.
- Persistence: They can install backdoors or deploy malware for long-term access.
Mitigation Recommendations:
- Upgrade Sitecore: Install the latest supported version of Sitecore XM/XP beyond 9.0, since newer builds address the flaw.
- Restrict Network Access: Limit Sitecore admin and API endpoints to trusted networks.
- Input Validation & Serialization Controls: Enforce strict checks on serialized data and block deserialization from untrusted sources.
- Web Application Firewall (WAF): Deploy rules that detect and stop malicious deserialization payloads.
Remote Code Execution via Unsanitized GitHub Workflow in Roo Code | CVE-2025-58371
Description:
Roo Code versions 3.26.6 and below contain a GitHub workflow flaw that uses unsanitized pull request metadata in a privileged context. Because of this, attackers can craft malicious pull requests and achieve Remote Code Execution (RCE) on the GitHub Actions runner. Since the workflow runs with broad permissions and repository secrets, adversaries can execute commands, push or modify code, steal secrets, and create malicious releases. This issue was fixed in version 3.26.7.
Potential Impacts:
- Remote Code Execution: Attackers run arbitrary commands on the GitHub Actions runner.
- Repository Compromise: They alter or push source code.
- Secrets Exposure: Attackers gain access to stored tokens and secrets.
- Supply Chain Attack: They distribute malicious packages downstream.
Mitigation Recommendations:
- Upgrade Roo Code: Update to version 3.26.7 or later.
- Restrict Workflow Permissions: Apply least privilege principles to GitHub Actions workflows.
- Input Sanitization: Validate and sanitize all user-supplied metadata before execution.
- Monitor Repository for Abuse: Audit commits, releases, and logs regularly.
🟠 High Severity Vulnerabilities
TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability (CISA KEV) | CVE-2020-24363: A flaw in TP-Link TL-WA855RE V5 (firmware 20200415-rel37464) allows unauthenticated attackers on the same network to send crafted TDDP_RESET POST requests. Consequently, they can trigger a factory reset, reboot the device, and set a new administrative password, which grants unauthorized control.
TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability (CISA KEV) | CVE-2025-9377: The Parental Control page of TP-Link Archer C7 (EU) V2 and TL-WR841N/ND (MS) V9 routers contains an RCE flaw. With valid credentials, attackers can run arbitrary commands and fully compromise the devices. Because both routers reached End-of-Life (EOL), TP-Link advises replacing them. If replacement cannot happen immediately, users should apply the available security patches.
Linux Kernel TOCTOU Race Condition Vulnerability (CISA KEV) | CVE-2025-38352: A race condition affects the Linux kernel’s POSIX CPU timers implementation. Improper synchronization between handle_posix_cpu_timers() and posix_cpu_timer_del() leads to inconsistent state handling. Attackers may exploit this flaw during process termination. Developers fixed the issue by adding an exit_state check.
Android Runtime Use-After-Free Vulnerability (CISA KEV) | CVE-2025-48543: Google Chrome on Android mishandles memory in multiple code paths, which allows attackers to escape the browser sandbox and target the Android system_server process. Exploitation requires no privileges or user interaction, so attackers can escalate privileges and compromise system services.
Unsafe Deserialization in AppRestrictionsFragment | CVE-2025-48535:A flaw in AppRestrictionsFragment.java allows parcel mismatches to be exploited during unsafe deserialization. Since this enables a “launch-anywhere” vulnerability, malicious apps can escalate privileges and bypass intended security restrictions.
🟡 Medium Severity Vulnerabilities
Meta WhatsApp Incorrect Authorization Vulnerability (CISA KEV) | CVE-2025-55177: WhatsApp for iOS, WhatsApp Business for iOS, and WhatsApp for Mac fail to fully authorize linked device synchronization messages. As a result, an unrelated user may trigger arbitrary URL processing on a target device. When chained with Apple CVE-2025-43300, this flaw has been used in targeted attacks.
TP-Link TL-WR841N Authentication Bypass (CISA KEV) | CVE-2023-50224: A vulnerability in the dropbearpwd component of TP-Link TL-WR841N routers allows improper authentication handling in the httpd service. Because the service listens on TCP port 80, network-adjacent attackers can exploit it to disclose stored credentials and potentially compromise broader networks.
Cross-Site Scripting (XSS) in IBM Jazz Foundation | CVE-2024-43184: IBM Jazz Foundation versions 7.0.2 through 7.1.0 are vulnerable to XSS. By injecting malicious JavaScript into the web interface, attackers can run code in a victim’s browser, leading to credential theft, unauthorized actions, or data tampering.
Boolean-Based Blind SQL Injection in dotCMS | CVE-2025-8311: A Boolean-based blind SQL injection exists in dotCMS /api/v1/contenttype due to improper sanitization of the sites query parameter. Exploitation allows authenticated low-privilege users to exfiltrate sensitive database data, escalate privileges, or trigger denial-of-service (DoS). Fortunately, patches are available in versions 25.08.14, 25.07.10-1v2 LTS, 24.12.27v10 LTS, and 24.04.24v21 LTS.