CVE Updates (October 20 – 26, 2025)

Here are the CVE updates for the week of October 20th through 26th.

🔴 Critical Severity Vulnerabilities

Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability (CISA KEV) | CVE-2025-2746

Description:
An authentication bypass vulnerability affects Kentico Xperience (versions up to 13.0.172) because of improper handling of empty SHA1 usernames in the Staging Sync Server’s digest authentication. When the system receives a request with an empty username hash, it may incorrectly validate authentication. Consequently, unauthorized users can bypass login checks and gain administrative access. As a result, attackers could control administrative objects within the Xperience environment.

Potential Impacts:

• Authentication Bypass: Attackers may access administrative interfaces or APIs without valid credentials.
• Privilege Escalation: Malicious users could gain complete control over site configurations, content, and user management.
• Data Manipulation: Exploitation may allow attackers to modify or delete administrative objects, which compromises content integrity.
• Lateral Movement: Once attackers gain admin access, they might execute additional attacks across the environment.
• Business and Reputation Risk: Unauthorized changes or data exposure can harm website integrity and public trust.

Mitigation Recommendations:

• Apply Vendor Patch: Upgrade Kentico Xperience beyond version 13.0.172 immediately.
• Restrict Access: Allow access to the Staging Sync Server only from trusted IPs or internal networks.
• Enforce Strong Authentication: Disable digest authentication if unnecessary, and adopt secure options such as token-based or mutual TLS.
• Monitor Logs: Continuously review logs for suspicious logins or sync attempts.
• Segmentation: Isolate staging and production to reduce cross-impact risks.
• Incident Response: If a breach occurs, revoke credentials, reset admin passwords, and audit changes quickly.

Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability (CISA KEV) | CVE-2025-2747

Description: This vulnerability exists in Kentico Xperience (versions through 13.0.178) within the Staging Sync Server component. It appears when the server uses the “None” authentication type, which disables all authentication checks. As a result, an attacker can connect and gain administrative access without credentials. This flaw can lead to unauthorized manipulation of administrative objects in the system.

Potential Impacts:

• Authentication Bypass: Attackers can access the Staging Sync Server without any authentication.
• Privilege Escalation: Unauthorized users might obtain full administrative privileges.
• Data Compromise: Malicious users can modify, delete, or create administrative objects.
• System Integrity Risks: Configuration changes could disrupt normal operations.
• Reputation Damage: Unauthorized tampering may cause data leaks or site defacement.

Mitigation Recommendations:

• Apply Vendor Patch: Upgrade Kentico Xperience beyond version 13.0.178.
• Disable “None” Authentication Type: Enforce secure authentication mechanisms.
• Restrict Network Access: Allow only trusted internal or VPN connections.
• Audit Configuration: Review and verify all authentication settings.
• Monitor Access Logs: Check regularly for unauthorized sync activity.
• Segregate Environments: Separate staging from production.
• Incident Response: If compromise occurs, revoke tokens, reset credentials, and inspect for unauthorized changes.

Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability (CISA KEV) | CVE-2025-61932

Description: A remote code execution vulnerability impacts Lanscope Endpoint Manager (On-Premises). It affects both the Client (MR) and Detection Agent (DA) components. Because the system fails to verify the origin of incoming requests, attackers can send crafted packets that the system misinterprets as trusted. As a result, they can execute arbitrary code on affected endpoints and potentially achieve full system compromise.

Potential Impacts:

• Remote Code Execution (RCE): Attackers can execute commands on vulnerable systems.
• Complete System Compromise: Full control of the Lanscope environment may be obtained.
• Data Breach: Sensitive data could be stolen or exposed.
• Network Propagation: Attackers may move laterally across the network.
• Operational Disruption: Endpoint monitoring or management could be disrupted.

Mitigation Recommendations:

• Apply Vendor Patch: Update to the latest Lanscope Endpoint Manager version.
• Restrict Network Access: Limit communication to trusted servers and block external access.
• Network Segmentation: Separate management systems from user networks.
• Monitor Traffic: Detect malformed or suspicious packets targeting Lanscope.
• Implement Firewall Rules: Block traffic from untrusted sources.
• Least Privilege Principle: Run services with minimal privileges.
• Incident Response: If compromise is suspected, isolate, investigate, and restore from trusted backups.

Adobe Commerce and Magento Improper Input Validation Vulnerability (CISA KEV) | CVE-2025-54236

Description: An improper input validation flaw exists in Adobe Commerce (versions: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier). Because input validation is missing, attackers can manipulate application data to take over sessions and compromise systems. This vulnerability requires no user interaction and may lead to session hijacking, data theft, or chained exploitation.

Potential Impacts:

• Session Takeover: Attackers can hijack administrative or user sessions.
• Data Exposure: Customer and order data can be accessed or modified.
• Privilege Escalation: Hijacked sessions could allow unauthorized administrative actions.
• Service Disruption: Attackers may alter storefront content or disrupt payments.
• Chained Exploits: Compromised sessions may enable further attacks.

Mitigation Recommendations:

• Apply Vendor Patch: Update to the latest secure release immediately.
• Invalidate Sessions: Force logouts and rotate all credentials and keys.
• Harden Session Controls: Use secure cookies, short lifetimes, and MFA for admins.
• Deploy WAF: Block malicious payloads and exploit attempts.
• Audit Extensions: Review third-party modules for unsafe input handling.
• Monitor & Detect: Track anomalies in session activity and admin actions.
• Backup & Recovery: Keep validated backups and test recovery procedures.

Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability (CISA KEV) | CVE-2025-59287

Description: A deserialization vulnerability in WSUS allows attackers to send malicious payloads that the server processes unsafely. When WSUS deserializes this data, attackers may execute arbitrary code remotely without authentication. Therefore, this flaw can result in full system compromise and even enable malicious update distribution.

Potential Impacts:

• Remote Code Execution (RCE): Attackers can execute arbitrary code remotely.
• Server Compromise: WSUS hosts may be fully taken over.
• Supply Chain Risks: Attackers could distribute fake or malicious updates.
• Lateral Movement: Compromised servers can be used to pivot into internal systems.
• Data Loss: Sensitive WSUS or network data may be exposed or corrupted.

Mitigation Recommendations:

• Apply Microsoft Patches: Install all updates addressing CVE-2025-59287 immediately.
• Restrict Access: Limit WSUS exposure to internal management networks only.
• Harden Configuration: Disable unused features and minimize service privileges.
• Validate Inputs: Reject untrusted or unsigned serialized data.
• Segment the Network: Isolate WSUS from user networks.
• Monitor Activity: Track anomalous uploads or process creation.
• Verify Integrity: Use digital signatures and allowlists for updates.
• Backup & Recovery: Maintain and test WSUS backups regularly.
• Incident Response: If exploited, isolate, investigate, and rebuild securely.

🟠 High Severity Vulnerabilities

Apple Multiple Products Unspecified Vulnerability (CISA KEV) | CVE-2022-48503: A memory corruption flaw was discovered across multiple Apple platforms due to insufficient bounds checking. By processing crafted web content, attackers could achieve arbitrary code execution. The issue affects tvOS 15.5 and earlier, watchOS 8.6 and earlier, iOS/iPadOS 15.5 and earlier, macOS Monterey 12.4 and earlier, and Safari 15.5 and earlier. Apple resolved it through improved validation in subsequent updates.

Microsoft Windows SMB Client Improper Access Control Vulnerability (CISA KEV) | CVE-2025-33073: Windows SMB contains an access control flaw allowing an authorized attacker to elevate privileges remotely. Improper enforcement of permission checks lets low-privilege users perform admin-level actions. Applying Microsoft’s latest updates mitigates the issue.

Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability (CISA KEV) | CVE-2025-61884: Oracle Configurator in Oracle E-Business Suite versions 12.2.3 through 12.2.14 suffers from an SSRF flaw. Unauthenticated attackers can access internal data via crafted HTTP requests. Oracle addressed this vulnerability in its critical patch updates.

🟡 Medium Severity Vulnerabilities

CSV Injection in AI Chatbot Free Models Plugin for WordPress | CVE-2025-11576: A CSV injection flaw in the AI Chatbot Free Models plugin (≤1.6.5) allows attackers to inject malicious payloads into exported CSV files. When opened in Excel or similar software, this can result in arbitrary command execution.

Unauthorized Media Deletion in Microsoft Azure Storage for WordPress | CVE-2025-10749: A missing capability check in the “azure-storage-media-replace” AJAX action allows subscriber-level users to delete media files. Attackers can exploit this flaw to remove content from the WordPress Media Library.

Group-Writable /etc/passwd in Container Images | CVE-2025-57848: Some container-native virtualization images contain group-writable /etc/passwd files. Attackers who can execute commands in the container can modify users and escalate privileges to root.

Out-of-Bounds Read in NVIDIA Display Driver | CVE-2025-23345: A vulnerability in NVIDIA’s video decoder component allows attackers to trigger out-of-bounds reads. This can cause crashes or information disclosure when processing crafted video data.