Here are the CVE updates for the week of October 27th through November 2nd.
🔴 Critical Severity Vulnerabilities
XWiki Platform Eval Injection Vulnerability (CISA KEV) | CVE-2025-24893
Description:
A remote code execution (RCE) vulnerability affects the XWiki Platform, a general-purpose wiki platform providing runtime services for applications. Because of insufficient input validation in the SolrSearch endpoint, unauthenticated attackers can send specially crafted requests that execute arbitrary code. Consequently, this issue endangers the confidentiality, integrity, and availability of the entire XWiki installation.
Potential Impacts:
- Remote Code Execution: Attackers can execute arbitrary Groovy scripts on the server.
- Full System Compromise: Complete access to data and system files may be obtained.
- Data Manipulation or Destruction: Adversaries might modify, delete, or exfiltrate sensitive information.
Mitigation Recommendations:
- Upgrade Immediately: Update to versions 15.10.11, 16.4.1, or 16.5.0RC1.
- Apply Temporary Mitigation: If upgrades are delayed, modify Main.SolrSearchMacros.xml to ensure the rawResponse macro outputs with a content type of
application/xml. - Restrict Access: Block unauthenticated access to
/xwiki/bin/get/. - Monitor Systems: Review logs for unexpected or repeated SolrSearch requests.
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability (CISA KEV) | CVE-2025-6205
Description:
A missing authorization flaw exists in DELMIA Apriso (Releases 2020–2025). Because access control checks are not properly enforced, attackers can perform privileged operations without authorization. Therefore, this weakness can lead to severe exposure of business and operational data.
Potential Impacts:
- Privilege Escalation: Attackers can gain elevated rights within the application.
- Data Exposure: Confidential data may become accessible to unauthorized users.
- System Manipulation: Malicious actors could alter configurations or workflow logic.
- Operational Disruption: Critical processes could slow or stop entirely.
- Regulatory Non-Compliance: Breaches might violate privacy or compliance requirements.
Mitigation Recommendations:
- Update Immediately: Apply vendor patches or upgrade to Release 2025+.
- Implement RBAC: Require explicit authorization for critical functions.
- Restrict Privileged Interfaces: Limit configuration access to trusted administrators.
- Audit Logs: Regularly review activity logs for anomalies.
- Enforce Least Privilege: Grant users only the permissions they need.
- Segment Networks: Isolate Apriso servers from general traffic.
- Monitor and Alert: Detect and respond promptly to unauthorized actions.
Unauthenticated Device Configuration via MAC-based UDP Management | CVE-2025-64385
Description:
Devices that rely on MAC-based identification for initial configuration can be compromised when UDP provisioning trusts spoofed MAC packets. As a result, an attacker can reconfigure devices remotely without authentication, altering critical network or credential data.
Potential Impacts:
- Device Takeover: Attackers can modify network, credential, or endpoint settings.
- Network Compromise: Malicious reconfigurations may enable lateral movement.
- Credential Theft: Adversaries can capture configuration data.
- Service Disruption: Devices could become inoperable.
- Supply Chain Risk: Attackers might reconfigure multiple devices at scale.
Mitigation Recommendations:
- Disable UDP Provisioning: Avoid UDP-based setup in production.
- Require Strong Authentication: Use per-device credentials or signed tokens.
- Enable Integrity Checks: Apply TLS, HMAC, or signed manifests.
- Restrict Network Access: Allow provisioning traffic only from trusted VLANs.
- Enforce MAC Anti-Spoofing: Use port security or DHCP snooping.
- Harden Defaults: Remove default credentials and disable remote setup.
- Update Firmware: Apply vendor patches removing MAC-only provisioning.
- Monitor Provisioning Activity: Log and alert on unexpected changes.
Unauthenticated Management API Exposure in UniFi Access Application | CVE-2025-52665
Description:
A misconfiguration in UniFi Access exposes a management API without proper authentication. Because attackers can directly interact with the API, they can issue administrative commands and alter access settings.
Potential Impacts:
- Unauthorized Access: Attackers may control door access systems.
- Configuration Tampering: Security settings and permissions can be changed.
- Physical Security Breach: Unauthorized entry could occur.
- Network Compromise: Exploitation may lead to lateral attacks.
Mitigation Recommendations:
- Update Immediately: Upgrade UniFi Access to version 4.0.21 or later.
- Restrict Network Access: Expose APIs only to trusted subnets.
- Implement Firewalls: Block external traffic to management networks.
- Review Logs: Audit API and configuration logs frequently.
- Harden Configuration: Enforce RBAC and disable unused endpoints.
- Adopt Zero Trust: Require full authentication within internal APIs.
Authentication Bypass in Seeyon Zhiyuan OA Web Application | CVE-2021-4461
Description:
Improper parameter parsing in Seeyon Zhiyuan OA (≤7.0 SP1) allows attackers to manipulate session attributes without proper authentication. Consequently, attackers can bypass access controls and take over user accounts.
Potential Impacts:
- Account Takeover: Attackers can impersonate administrators.
- Unauthorized Access: Sensitive data and resources become exposed.
- Data Exposure: Internal system data may be viewed or modified.
- Lateral Movement: Attackers can pivot across systems.
- Operational Disruption: System settings may be altered or deleted.
Mitigation Recommendations:
- Apply Vendor Patch: Install the fixed version from Seeyon.
- Validate Sessions: Enforce strong server-side session checks.
- Sanitize Input: Validate and clean all parameters.
- Restrict Access: Limit exposure of thirdpartyController.do endpoints.
- Monitor Activity: Track unauthorized session assignments.
- Segment Networks: Keep OA systems internal only.
- Respond Quickly: Reset credentials and audit after compromise.
🟠 High Severity Vulnerabilities
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability (CISA KEV) | CVE-2025-6204: A code injection vulnerability exists in DELMIA Apriso (2020–2025). Attackers can inject arbitrary code during the application’s code generation process. Applying the vendor patch is essential to prevent privilege escalation or data corruption.
Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability (CISA KEV) | CVE-2025-41244: This flaw allows local users to gain root privileges on virtual machines managed under Aria Operations when SDMP is enabled. Upgrading to patched builds effectively resolves the issue.
DLL Hijacking in Trimble SketchUp Desktop 2025 | CVE-2025-60749: Attackers can exploit insecure DLL loading paths by planting a crafted libcef.dll file. When SketchUp executes, it may load the attacker’s DLL, leading to code execution.
SQL Injection in Revive Adserver 6.0.0 | CVE-2025-52664: Insufficient input sanitization allows authenticated users to manipulate SQL queries, enabling database modification or data leakage.
Authorization Bypass in JumpServer LDAP WebSocket Endpoint | CVE-2025-62795: Low-privileged users can invoke LDAP synchronization via WebSocket due to missing authorization checks. Updating to the latest stable version closes this exposure.
🟡 Medium Severity Vulnerabilities
Protection Mechanism Failure in Microsoft Edge | CVE-2025-60711: A security control failure in Microsoft Edge (Chromium) can allow remote code execution. Attackers exploiting this flaw can run arbitrary code remotely, threatening browser security.
Clickjacking (UI Redress) Vulnerability | CVE-2025-64387: Because the affected web application lacks proper frame restrictions, attackers can embed it inside an attacker-controlled iframe. Consequently, they can trick users into clicking hidden buttons or submitting sensitive data.
Stored Cross-Site Scripting (XSS) in Nagios Network Analyzer | CVE-2025-34278: The Source Groups page fails to sanitize user input properly. As a result, attackers can inject persistent JavaScript payloads that execute in administrators’ browsers.