24h | 7d | 30d

CVE-2025-32433

Overview

  • erlang
  • otp
16 Apr 2025
Published
18 Apr 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.31%
KEV

Description

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

Statistics

  • 9 Posts
  • 19 Interactions

Fediverse

Profile picture
Haelwenn /элвэн/ :triskell: @lanodan
Yikes, patch your #Erlang if you've SSH on it (like with Pleroma BBS, removed 2 years ago in favor of sshsocial in 2.6.0+, so like 2.5.x and older are potentially affected).

https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2 - CVE-2025-32433
  • 5
  • 0
  • 13 hours ago
Profile picture
Hackread.com @Hackread

🚨 CVSS 10.0 RCE flaw (CVE-2025-32433) found in Erlang/OTP SSH. Affects systems using it for remote access, including IoT and telecom. Patch now!

Read: hackread.com/researchers-cvss-

#Cybersecurity #InfoSec #Vulnerability #Erlang #OTPSSH

  • 2
  • 0
  • 16 hours ago
Profile picture
buherator @buherator
oss-security - Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
https://www.openwall.com/lists/oss-security/2025/04/18/1

Exploit published ^
  • 2
  • 0
  • 1 hour ago
Profile picture
Alexandre Dulaunoy @adulau

we talk about ssh with @jtk and bam there is this

vulnerability.circl.lu/vuln/CV

“SSH server (Erlang) may allow an attacker to perform unauthenticated remote code execution (RCE).”

We should be careful when we talk.

  • 1
  • 5
  • 18 hours ago
Profile picture
Marco Ivaldi @raptor

@buherator interesting blog too platformsecurity.com/blog/CVE-

  • 1
  • 3
  • 1 hour ago
Profile picture
Dark Web Informer - Cyber Threat Intelligence :verified_paw: :verified_dragon: @DarkWebInformer

🚨CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH

CVSS: 10

darkwebinformer.com/cve-2025-3

  • 0
  • 0
  • 16 hours ago
Profile picture
Rishi @rxerium

🚨Critical remote code execution zero-day (CVSS 10.0) vulnerability CVE-2025-32433 affecting the Erlang/OTP SSH service allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication

"All users running the Erlang/OTP SSH server are impacted by this vulnerability, regardless of the underlying Erlang/OTP version. If your application provides SSH access using the Erlang/OTP SSH library, assume you are affected.

  • 0
  • 0
  • 16 hours ago
Profile picture
The DefendOps Diaries @defendopsdiaries

A major flaw in Erlang/OTP SSH now lets attackers run code without needing any credentials—imagine leaving your front door wide open. Is your system at risk? Dive into the details and learn how to lock it down.

thedefendopsdiaries.com/unders





  • 0
  • 0
  • 13 hours ago
Profile picture
sublimer@あすてろいどん鯖管 @sublimer

CVE-2025-32433、インパクトは大きいけど、影響を受けるケースがどのくらいあるのか…

  • 0
  • 0
  • 1 hour ago

CVE-2025-24054

Overview

  • Microsoft
  • Windows 10 Version 1809
11 Mar 2025
Published
17 Apr 2025
Updated
CVSS v3.1
MEDIUM (6.5)
EPSS
0.60%
KEV

Description

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 3 Posts
  • 4 Interactions

Fediverse

Profile picture
ZeroDaily @zerodaily

🚨 Windows NTLM flaw (CVE-2025-24054) is under active exploitation! Learn how this critical vulnerability impacts your security and what you can do to stay safe. 🛡️

#CyberSecurity #InfoSec #ThreatIntel #Vulnerability #WindowsSecurity #CVE #ZeroDay #SecurityNews

Learn more: zerodaily.me/blog/2025-04-18-w

  • 2
  • 1
  • 3 hours ago
Profile picture
Club de TéléMatique :verified: @ClubTeleMatique

Hacker News: CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download thehackernews.com/2025/04/cve- #news #IT

  • 1
  • 0
  • 1 hour ago
Profile picture
The DefendOps Diaries @defendopsdiaries

Windows systems are under threat! A tiny flaw now lets hackers steal sensitive credentials with just a folder click. How safe is your PC against these crafty phishing attacks? Read more on this alarming vulnerability.

thedefendopsdiaries.com/unders





  • 0
  • 0
  • 15 hours ago

CVE-2025-21204

Overview

  • Microsoft
  • Windows Server 2025
08 Apr 2025
Published
16 Apr 2025
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.06%
KEV

Description

Improper link resolution before file access ('link following') in Windows Update Stack allows an authorized attacker to elevate privileges locally.

Statistics

  • 2 Posts
  • 5 Interactions

Fediverse

Profile picture
Yuki Hazuki ·𐑘𐑵𐑒𐑘 ·𐑾𐑨𐑟𐑵𐑒𐑘 葉月膤 ❄️ 🏳️‍⚧️ @Yuki

ok so apparently the solution to fix CVE-2025-21204 on Windows is to create C:\inetpub even if IIS isn't installed

that's kinda wild

  • 2
  • 0
  • 12 hours ago
Profile picture
Kevin Beaumont @GossiTheDog

@wdormann MSRC still haven't triaged the (I think) vuln CVE-2025-21204 patch introduces 🤪

  • 0
  • 3
  • 21 hours ago

CVE-2025-31200

Overview

  • Apple
  • visionOS
16 Apr 2025
Published
17 Apr 2025
Updated
CVSS
Pending
EPSS
0.20%
KEV

Description

A memory corruption issue was addressed with improved bounds checking. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Statistics

  • 3 Posts
  • 1 Interaction

Fediverse

Profile picture
nemo™ 🇺🇦 @nemo

🚨 Apple just patched CVE-2025-31200 in CoreAudio & CVE-2025-31201 in RPAC, both zero-day flaws exploited in targeted iOS attacks. Update to iOS 18.4.1, iPadOS 18.4.1, & macOS Sequoia 15.4.1 ASAP! 🔒 More info: cyberinsider.com/apple-fixes-t #AppleSecurity #ZeroDay #CyberSecurity 💻🛡️ #newz

  • 1
  • 0
  • 11 hours ago
Profile picture
ekiledjian @edwardk

Apple released emergency updates to address two vulnerabilities, CVE-2025-31200 and CVE-2025-31201, impacting iOS, iPadOS, and macOS. The flaws, exploited in sophisticated attacks against iOS targets, were addressed with improved bounds checking and removing vulnerable code.
securityaffairs.com/176644/sec

  • 0
  • 0
  • 22 hours ago
Profile picture
Cybersecurity & cyberwarfare @cybersecurity

Zero-day su iPhone, Mac e iPad: Apple corre ai ripari con patch d’emergenza

Apple ha rilasciato patch di emergenza per correggere due vulnerabilità zero-day. Secondo l’azienda, questi problemi sono stati sfruttati in attacchi mirati ed “estremamente sofisticati” contro i possessori di iPhone.

Le vulnerabilità sono state scoperte in CoreAudio (CVE-2025-31200 , punteggio CVSS 7,5) e RPAC ( CVE-2025-31201, punteggio CVSS 6,8) i quali interessano iOS, macOS, tvOS, iPadOS e visionOS.

“Apple è consapevole che queste problematiche potrebbero essere sfruttate per attacchi altamente sofisticati contro singoli utenti iOS”, ha affermato Apple in un bollettino sulla sicurezza.

La vulnerabilità CVE-2025-31200 in CoreAudio è stata scoperta dai ricercatori Apple e da quelli di Google Threat Analysis. Questo bug può essere sfruttato per eseguire da remoto del codice su un dispositivo elaborando un flusso audio in un file multimediale dannoso e appositamente preparato.

La vulnerabilità CVE-2025-31201 è stata scoperta dagli stessi specialisti Apple. Questo bug in RPAC consente agli aggressori con accesso in lettura/scrittura di aggirare Pointer Authentication (PAC), una funzionalità di sicurezza iOS progettata per proteggere dalle vulnerabilità della memoria.

Finora, Apple non ha divulgato dettagli su come queste vulnerabilità siano state sfruttate negli attacchi o su chi ne siano stati i bersagli. I problemi sono stati risolti in iOS 18.4.1, iPadOS 18.4.1, tvOS 18.4.1, macOS Sequoia 15.4.1 e visionOS 2.4.1 .

Le vulnerabilità interessano sia i modelli più vecchi che quelli più nuovi dei dispositivi Apple:

  • iPhone XS e modelli successivi;
  • iPad Pro da 13 pollici, iPad Pro da 12,9 pollici (3a generazione e successive), iPad Pro da 11 pollici (1a generazione e successive), iPad Air di 3a generazione e successive, iPad di 7a generazione e successive e iPad mini di 5a generazione e successive;
  • macOS Sequoia;
  • Apple TV HD e Apple TV 4K (tutti i modelli);
  • Apple Vision Pro.

L'articolo Zero-day su iPhone, Mac e iPad: Apple corre ai ripari con patch d’emergenza proviene da il blog della sicurezza informatica.

  • 0
  • 0
  • 5 hours ago

CVE-2025-31201

Overview

  • Apple
  • visionOS
16 Apr 2025
Published
17 Apr 2025
Updated
CVSS
Pending
EPSS
0.05%
KEV

Description

This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Statistics

  • 3 Posts
  • 1 Interaction

Fediverse

Profile picture
nemo™ 🇺🇦 @nemo

🚨 Apple just patched CVE-2025-31200 in CoreAudio & CVE-2025-31201 in RPAC, both zero-day flaws exploited in targeted iOS attacks. Update to iOS 18.4.1, iPadOS 18.4.1, & macOS Sequoia 15.4.1 ASAP! 🔒 More info: cyberinsider.com/apple-fixes-t #AppleSecurity #ZeroDay #CyberSecurity 💻🛡️ #newz

  • 1
  • 0
  • 11 hours ago
Profile picture
ekiledjian @edwardk

Apple released emergency updates to address two vulnerabilities, CVE-2025-31200 and CVE-2025-31201, impacting iOS, iPadOS, and macOS. The flaws, exploited in sophisticated attacks against iOS targets, were addressed with improved bounds checking and removing vulnerable code.
securityaffairs.com/176644/sec

  • 0
  • 0
  • 22 hours ago
Profile picture
Cybersecurity & cyberwarfare @cybersecurity

Zero-day su iPhone, Mac e iPad: Apple corre ai ripari con patch d’emergenza

Apple ha rilasciato patch di emergenza per correggere due vulnerabilità zero-day. Secondo l’azienda, questi problemi sono stati sfruttati in attacchi mirati ed “estremamente sofisticati” contro i possessori di iPhone.

Le vulnerabilità sono state scoperte in CoreAudio (CVE-2025-31200 , punteggio CVSS 7,5) e RPAC ( CVE-2025-31201, punteggio CVSS 6,8) i quali interessano iOS, macOS, tvOS, iPadOS e visionOS.

“Apple è consapevole che queste problematiche potrebbero essere sfruttate per attacchi altamente sofisticati contro singoli utenti iOS”, ha affermato Apple in un bollettino sulla sicurezza.

La vulnerabilità CVE-2025-31200 in CoreAudio è stata scoperta dai ricercatori Apple e da quelli di Google Threat Analysis. Questo bug può essere sfruttato per eseguire da remoto del codice su un dispositivo elaborando un flusso audio in un file multimediale dannoso e appositamente preparato.

La vulnerabilità CVE-2025-31201 è stata scoperta dagli stessi specialisti Apple. Questo bug in RPAC consente agli aggressori con accesso in lettura/scrittura di aggirare Pointer Authentication (PAC), una funzionalità di sicurezza iOS progettata per proteggere dalle vulnerabilità della memoria.

Finora, Apple non ha divulgato dettagli su come queste vulnerabilità siano state sfruttate negli attacchi o su chi ne siano stati i bersagli. I problemi sono stati risolti in iOS 18.4.1, iPadOS 18.4.1, tvOS 18.4.1, macOS Sequoia 15.4.1 e visionOS 2.4.1 .

Le vulnerabilità interessano sia i modelli più vecchi che quelli più nuovi dei dispositivi Apple:

  • iPhone XS e modelli successivi;
  • iPad Pro da 13 pollici, iPad Pro da 12,9 pollici (3a generazione e successive), iPad Pro da 11 pollici (1a generazione e successive), iPad Air di 3a generazione e successive, iPad di 7a generazione e successive e iPad mini di 5a generazione e successive;
  • macOS Sequoia;
  • Apple TV HD e Apple TV 4K (tutti i modelli);
  • Apple Vision Pro.

L'articolo Zero-day su iPhone, Mac e iPad: Apple corre ai ripari con patch d’emergenza proviene da il blog della sicurezza informatica.

  • 0
  • 0
  • 5 hours ago

CVE-2025-43715

Overview

  • Nullsoft
  • Nullsoft Scriptable Install System
17 Apr 2025
Published
17 Apr 2025
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.01%
KEV

Description

Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allows local users to escalate privileges to SYSTEM during an installation, because the temporary plugins directory is created under %WINDIR%\temp and unprivileged users can place a crafted executable file by winning a race condition. This occurs because EW_CREATEDIR does not always set the CreateRestrictedDirectory error flag.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture
Lutra Security @lutrasecurity

It's alive! The CVE Program has secured another 11 months of funding, which can now be used to establish alternatives and secure other sources of funding.

published already a few new ​s today, like this privilege escalation in the Nullsoft Scriptable Install System: fieldguide.lutrasecurity.com/C

  • 2
  • 1
  • 23 hours ago

CVE-2024-55211

Overview

  • Pending
17 Apr 2025
Published
17 Apr 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

An issue in Think Router Tk-Rt-Wr135G V3.0.2-X000 allows attackers to bypass authentication via a crafted cookie.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture
cR0w :cascadia: @cR0w

Auth bypass in a Think router.

github.com/micaelmaciel/CVE-20

cc: @Dio9sys @da_667

  • 1
  • 1
  • 7 hours ago

CVE-2025-25457

Overview

  • Pending
17 Apr 2025
Published
17 Apr 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via cloneType2.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture
cR0w :cascadia: @cR0w

Did I already share this one @Dio9sys @da_667 ? They just had a new CVE published today for Tenda and I can't remember.

github.com/xyqer1?tab=reposito

nvd.nist.gov/vuln/detail/CVE-2

  • 1
  • 1
  • 18 hours ago

CVE-2024-12530

Overview

  • OpenText
  • Secure Content Manager
17 Apr 2025
Published
17 Apr 2025
Updated
CVSS v4.0
HIGH (7.0)
EPSS
Pending
KEV

Description

Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4. End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture
cR0w :cascadia: @cR0w

Use full paths for your DLLs plz. OpenText just learned about it.

portal.microfocus.com/s/articl

sev:HIGH 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4. End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.

nvd.nist.gov/vuln/detail/CVE-2

  • 0
  • 3
  • 17 hours ago

CVE-2025-0756

Overview

  • Hitachi Vantara
  • Pentaho Data Integration & Analytics
16 Apr 2025
Published
17 Apr 2025
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.23%
KEV

Description

Overview   The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)   Description   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources.   Impact   An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture
cR0w :cascadia: @cR0w

Resource injection in Hitachi Vantara. Once again, the published CVE has a bad link and the description is pretty worthless.

support.pentaho.com/hc/en-us/a

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

nvd.nist.gov/vuln/detail/CVE-2

  • 0
  • 2
  • 21 hours ago
Showing 1 to 10 of 20 CVEs