Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Security Vulnerabilities328347
CVE-2025-58716
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-0.10% / 28.42%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Speech Runtime Elevation of Privilege Vulnerability

Improper input validation in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1507windows_11_22h2windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_1607windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2016 (Server Core installation)Windows Server 2019 (Server Core installation)Windows 10 Version 1507Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-20
Improper Input Validation
CVE-2025-58715
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-0.09% / 26.04%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Speech Runtime Elevation of Privilege Vulnerability

Integer overflow or wraparound in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1507windows_11_22h2windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_1607windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2016 (Server Core installation)Windows Server 2019 (Server Core installation)Windows 10 Version 1507Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2025-55701
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.8||HIGH
EPSS-0.10% / 28.42%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Authentication Elevation of Privilege Vulnerability

Improper validation of specified type of input in Microsoft Windows allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2012windows_10_21h2windows_11_24h2windows_server_2022windows_server_2022_23h2windows_server_2025windows_10_1507windows_11_22h2windows_server_2008windows_11_23h2windows_10_1607windows_10_22h2windows_10_1809windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2012 R2Windows Server 2016 (Server Core installation)Windows 10 Version 1507Windows Server 2012Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 Service Pack 2Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2012 R2 (Server Core installation)Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows Server 2012 (Server Core installation)Windows 11 version 22H3Windows 11 Version 24H2Windows Server 2008 R2 Service Pack 1Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2025-55700
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 21.94%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2012windows_10_21h2windows_11_24h2windows_server_2022windows_server_2022_23h2windows_server_2025windows_10_1507windows_11_22h2windows_server_2008windows_11_23h2windows_10_1607windows_10_22h2windows_10_1809windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2012 R2Windows Server 2016 (Server Core installation)Windows 10 Version 1507Windows Server 2012Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 Service Pack 2Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2012 R2 (Server Core installation)Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows Server 2012 (Server Core installation)Windows 11 version 22H3Windows 11 Version 24H2Windows Server 2008 R2 Service Pack 1Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-55689
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7||HIGH
EPSS-0.06% / 19.14%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability

Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_22h2windows_11_24h2windows_10_21h2windows_11_23h2windows_server_2022windows_10_22h2windows_server_2022_23h2windows_server_2025windows_11_25h2Windows 11 Version 25H2Windows Server 2025Windows 10 Version 22H2Windows 11 version 22H2Windows Server 2022Windows 11 Version 23H2Windows Server 2025 (Server Core installation)Windows 10 Version 21H2Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-416
Use After Free
CVE-2025-55687
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.4||HIGH
EPSS-0.05% / 14.54%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Resilient File System (ReFS) allows an unauthorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1507windows_11_22h2windows_server_2012windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_1607windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2012 R2Windows Server 2016 (Server Core installation)Windows 10 Version 1507Windows Server 2012Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2012 R2 (Server Core installation)Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows Server 2012 (Server Core installation)Windows 11 version 22H3Windows 11 Version 24H2Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE ID-CWE-416
Use After Free
CVE-2025-55686
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7||HIGH
EPSS-0.06% / 19.14%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability

Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_22h2windows_server_2022_23h2windows_server_2025windows_11_25h2Windows 11 Version 25H2Windows Server 2025Windows 10 Version 22H2Windows 11 version 22H2Windows Server 2022Windows 11 Version 23H2Windows Server 2025 (Server Core installation)Windows 10 Version 21H2Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-416
Use After Free
CVE-2025-55685
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7||HIGH
EPSS-0.06% / 19.14%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability

Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_22h2windows_11_24h2windows_10_21h2windows_11_23h2windows_server_2022windows_10_22h2windows_server_2022_23h2windows_server_2025windows_11_25h2Windows 11 Version 25H2Windows Server 2025Windows 10 Version 22H2Windows 11 version 22H2Windows Server 2022Windows 11 Version 23H2Windows Server 2025 (Server Core installation)Windows 10 Version 21H2Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-416
Use After Free
CVE-2025-55681
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7||HIGH
EPSS-0.08% / 24.25%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Desktop Windows Manager Elevation of Privilege Vulnerability

Out-of-bounds read in Windows DWM allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_22h2windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_11_25h2Windows 11 Version 25H2Windows Server 2025Windows 10 Version 22H2Windows Server 2022Windows 11 version 22H2Windows 11 Version 23H2Windows Server 2019Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows 11 version 22H3Windows 11 Version 24H2Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-822
Untrusted Pointer Dereference
CVE-2025-55677
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.8||HIGH
EPSS-0.07% / 20.66%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Device Association Broker Service Elevation of Privilege Vulnerability

Untrusted pointer dereference in Windows Device Association Broker service allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2025windows_11_25h2windows_11_24h2Windows 11 Version 25H2Windows 11 Version 24H2Windows Server 2025Windows Server 2025 (Server Core installation)
CWE ID-CWE-822
Untrusted Pointer Dereference
CVE-2025-55676
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.08% / 23.35%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows USB Video Class System Driver Information Disclosure Vulnerability

Generation of error message containing sensitive information in Windows USB Video Driver allows an authorized attacker to disclose information locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2025windows_11_25h2windows_11_24h2Windows 11 Version 25H2Windows 11 Version 24H2Windows Server 2025Windows Server 2025 (Server Core installation)
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2025-55340
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7||HIGH
EPSS-0.06% / 17.62%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Remote Desktop Protocol Security Feature Bypass

Improper authentication in Windows Remote Desktop Protocol allows an authorized attacker to bypass a security feature locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_22h2windows_11_24h2windows_10_21h2windows_11_23h2windows_server_2022windows_10_22h2windows_server_2022_23h2windows_server_2025windows_11_25h2Windows 11 Version 25H2Windows Server 2025Windows 10 Version 22H2Windows 11 version 22H2Windows Server 2022Windows 11 Version 23H2Windows Server 2025 (Server Core installation)Windows 10 Version 21H2Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-287
Improper Authentication
CVE-2025-55339
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.8||HIGH
EPSS-0.07% / 20.66%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Network Driver Interface Specification (NDIS) Driver Elevation of Privilege Vulnerability

Out-of-bounds read in Windows NDIS allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_22h2windows_11_24h2windows_11_23h2windows_server_2022windows_server_2022_23h2windows_server_2025windows_11_25h2Windows 11 Version 25H2Windows Server 2025Windows 11 Version 23H2Windows 11 version 22H2Windows Server 2022Windows Server 2025 (Server Core installation)Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-55338
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 22.59%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows BitLocker Security Feature Bypass Vulnerability

Missing Ability to Patch ROM Code in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1507windows_11_22h2windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_1607windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2016 (Server Core installation)Windows Server 2019 (Server Core installation)Windows 10 Version 1507Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-55336
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 18.54%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability

Exposure of sensitive information to an unauthorized actor in Windows Cloud Files Mini Filter Driver allows an authorized attacker to disclose information locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_22h2windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_11_25h2Windows 11 Version 25H2Windows Server 2025Windows 10 Version 22H2Windows Server 2022Windows 11 version 22H2Windows 11 Version 23H2Windows Server 2019Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows 11 version 22H3Windows 11 Version 24H2Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-55335
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.4||HIGH
EPSS-0.05% / 14.54%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-07 Jan, 2026 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows NTFS Elevation of Privilege Vulnerability

Use after free in Windows NTFS allows an unauthorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2012windows_10_21h2windows_11_24h2windows_server_2022windows_server_2022_23h2windows_server_2025windows_10_1507windows_11_22h2windows_server_2008windows_11_23h2windows_10_1607windows_10_22h2windows_10_1809windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2012 R2Windows Server 2016 (Server Core installation)Windows 10 Version 1507Windows Server 2012Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 Service Pack 2Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2012 R2 (Server Core installation)Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows Server 2012 (Server Core installation)Windows 11 version 22H3Windows 11 Version 24H2Windows Server 2008 R2 Service Pack 1Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE ID-CWE-416
Use After Free
CVE-2025-55333
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 22.19%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows BitLocker Security Feature Bypass Vulnerability

Incomplete comparison with missing factors in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1507windows_11_22h2windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_1607windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2016 (Server Core installation)Windows Server 2019 (Server Core installation)Windows 10 Version 1507Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-1023
Incomplete Comparison with Missing Factors
CVE-2025-55325
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 17.83%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Storage Management Provider Information Disclosure Vulnerability

Buffer over-read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1507windows_11_22h2windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_1607windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2016 (Server Core installation)Windows Server 2019 (Server Core installation)Windows 10 Version 1507Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-126
Buffer Over-read
CVE-2025-55320
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.18% / 40.09%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Configuration Manager Elevation of Privilege Vulnerability

Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to elevate privileges over an adjacent network.

Action-Not Available
Vendor-Microsoft Corporation
Product-configuration_manager_2503configuration_manager_2409configuration_manager_2403Microsoft Configuration ManagerMicrosoft Configuration Manager 2409
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-24052
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.8||HIGH
EPSS-0.12% / 31.65%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Agere Modem Driver Elevation of Privilege Vulnerability

Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update. Fax modem hardware dependent on this specific driver will no longer work on Windows. Microsoft recommends removing any existing dependencies on this hardware.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2012windows_10_21h2windows_11_24h2windows_server_2022windows_server_2022_23h2windows_server_2025windows_10_1507windows_11_22h2windows_server_2008windows_11_23h2windows_10_1607windows_10_22h2windows_10_1809windows_server_2019windows_11_25h2windows_server_2016Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2012 R2Windows Server 2016 (Server Core installation)Windows 10 Version 1507Windows Server 2012Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 Service Pack 2Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2012 R2 (Server Core installation)Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows Server 2012 (Server Core installation)Windows 11 Version 24H2Windows Server 2008 R2 Service Pack 1Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-121
Stack-based Buffer Overflow
CVE-2025-24990
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.8||HIGH
EPSS-6.15% / 90.53%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-11-04||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Windows Agere Modem Driver Elevation of Privilege Vulnerability

Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update. Fax modem hardware dependent on this specific driver will no longer work on Windows. Microsoft recommends removing any existing dependencies on this hardware.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_24h2windows_11_25h2windows_server_2025windows_10_1607windows_server_2016windows_server_2022_23h2windows_10_21h2windows_11_22h2windows_10_1809windows_10_22h2windows_11_23h2windows_server_2022windows_server_2019windows_server_2008windows_server_2012windows_10_1507Windows Server 2025Windows Server 2022Windows 11 version 22H2Windows Server 2012 R2Windows Server 2016 (Server Core installation)Windows 10 Version 1507Windows Server 2012Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 Service Pack 2Windows 10 Version 1607Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 Version 23H2Windows Server 2012 R2 (Server Core installation)Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows 10 Version 21H2Windows Server 2012 (Server Core installation)Windows 11 Version 24H2Windows Server 2008 R2 Service Pack 1Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)Windows
CWE ID-CWE-822
Untrusted Pointer Dereference
CVE-2025-55315
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-9.9||CRITICAL
EPSS-0.28% / 51.35%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ASP.NET Security Feature Bypass Vulnerability

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-visual_studio_2022asp.net_coreMicrosoft Visual Studio 2022 version 17.12Microsoft Visual Studio 2022 version 17.14Microsoft Visual Studio 2022 version 17.10ASP.NET Core 2.3ASP.NET Core 9.0ASP.NET Core 8.0
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2025-55247
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.3||HIGH
EPSS-0.03% / 8.04%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
.NET Elevation of Privilege Vulnerability

Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft CorporationLinux Kernel Organization, Inc
Product-linux_kernel.net.NET 9.0.NET 8.0
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2025-53782
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-8.4||HIGH
EPSS-0.06% / 20.14%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Exchange Server Elevation of Privilege Vulnerability

Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_serverMicrosoft Exchange Server 2019 Cumulative Update 15Microsoft Exchange Server 2019 Cumulative Update 14Microsoft Exchange Server 2016 Cumulative Update 23Microsoft Exchange Server Subscription Edition RTM
CWE ID-CWE-303
Incorrect Implementation of Authentication Algorithm
CVE-2025-50174
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7||HIGH
EPSS-0.06% / 19.14%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Device Association Broker Service Elevation of Privilege Vulnerability

Use after free in Windows Device Association Broker service allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2025windows_11_25h2windows_11_24h2Windows 11 Version 25H2Windows 11 Version 24H2Windows Server 2025Windows Server 2025 (Server Core installation)
CWE ID-CWE-416
Use After Free
CVE-2025-48004
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.4||HIGH
EPSS-0.08% / 24.25%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Brokering File System Elevation of Privilege Vulnerability

Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_22h2windows_11_24h2windows_11_23h2windows_server_2022_23h2windows_server_2025windows_11_25h2Windows 11 Version 25H2Windows Server 2025Windows 11 Version 23H2Windows 11 version 22H2Windows Server 2025 (Server Core installation)Windows 11 Version 24H2Windows 11 version 22H3Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-416
Use After Free
CVE-2025-47989
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7||HIGH
EPSS-0.04% / 12.35%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-02 Jan, 2026 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arc Enabled Servers - Azure Connected Machine Agent Elevation of Privilege Vulnerability

Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_connected_machine_agentArc Enabled Servers - Azure Connected Machine Agent
CWE ID-CWE-284
Improper Access Control
CVE-2025-37142
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.9||MEDIUM
EPSS-0.04% / 12.38%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:59
Updated-12 Nov, 2025 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Arbitrary File Download Vulnerabilities in CLI Binary of AOS-8 Controller/Mobility Conductor Web-Based Management Interface

Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-284
Improper Access Control
CVE-2025-37141
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.9||MEDIUM
EPSS-0.04% / 12.38%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:59
Updated-12 Nov, 2025 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Arbitrary File Download Vulnerabilities in CLI Binary of AOS-8 Controller/Mobility Conductor Web-Based Management Interface

Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-284
Improper Access Control
CVE-2025-37140
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.9||MEDIUM
EPSS-0.04% / 12.38%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:58
Updated-12 Nov, 2025 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Arbitrary File Download Vulnerabilities in CLI Binary of AOS-8 Controller/Mobility Conductor Web-Based Management Interface

Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-284
Improper Access Control
CVE-2025-37139
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6||MEDIUM
EPSS-0.02% / 3.55%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:58
Updated-14 Oct, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerability in AOS firmware allows for Authenticated Local malicious actor to Permanently Disable Boot

A vulnerability in an AOS firmware binary allows an authenticated malicious actor to permanently delete necessary boot information. Successful exploitation may render the system unbootable, resulting in a Denial of Service that can only be resolved by replacing the affected hardware.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-ArubaOS (AOS)
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-37138
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.2||MEDIUM
EPSS-0.03% / 10.18%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:57
Updated-12 Nov, 2025 | 21:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Command Injection Vulnerability in CLI Binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor Web-Based Management Interface (Physical Access Required)

An authenticated command injection vulnerability exists in the command line interface binary of AOS-10 GW and AOS-8 Controllers/Mobility Conductor operating system. Exploitation of this vulnerability requires physical access to the hardware controllers. A successful attack could allow an authenticated malicious actor with physical access to execute arbitrary commands as a privileged user on the underlying operating system.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-37137
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 25.31%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:57
Updated-12 Nov, 2025 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Arbitrary File Deletion Vulnerabilities in AOS-8 Controller/Mobility Conductor Command Line Interface (CLI)

Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-284
Improper Access Control
CVE-2025-37136
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 25.31%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:56
Updated-12 Nov, 2025 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Arbitrary File Deletion Vulnerabilities in AOS-8 Controller/Mobility Conductor Command Line Interface (CLI)

Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-284
Improper Access Control
CVE-2025-37135
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 25.31%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:56
Updated-12 Nov, 2025 | 21:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Arbitrary File Deletion Vulnerabilities in AOS-8 Controller/Mobility Conductor Command Line Interface (CLI)

Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-284
Improper Access Control
CVE-2025-37134
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-0.09% / 26.14%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:56
Updated-12 Nov, 2025 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Command Injection Vulnerability in the Low-Level Interface Library Affecting AOS-10 GW and AOS-8 Controller/Mobility Conductor Web-Based Management Interface

An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-8430
Assigner-Centreon
ShareView Details
Assigner-Centreon
CVSS Score-6.8||MEDIUM
EPSS-0.01% / 0.79%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:54
Updated-22 Oct, 2025 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A user with elevated privileges can inject XSS in the Commands Connectors configuration configuration page

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Commands Connectors configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.

Action-Not Available
Vendor-CENTREON
Product-centreon_webInfra Monitoring
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-37133
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-0.09% / 26.14%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:54
Updated-12 Nov, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Command Injection Vulnerability in AOS-8 Controller/Mobility Conductor Web-Based Management Interface via the CLI Binaryalong with accounting controls for tracking and logging user activities and resource usage.

An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-37132
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-0.07% / 20.54%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:53
Updated-12 Nov, 2025 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Remote Code Execution Vulnerability in AOS-10 GW and AOS-8 Controller/Mobility Conductor Web-Based Management Interface via Arbitrary File Write

An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the underlying operating system.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-arubaosArubaOS (AOS)
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-11548
Assigner-TIBCO Software Inc.
ShareView Details
Assigner-TIBCO Software Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.56% / 67.68%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:45
Updated-14 Oct, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ibi WebFOCUS - Unauthenticated RCE Vulnerability

A remote, unauthenticated privilege escalation in ibi WebFOCUS allows an attacker to gain administrative access to the application which may lead to unauthenticated Remote Code Execution

Action-Not Available
Vendor-ibi - Information Builders (Cloud Software Group, Inc.)
Product-WebFOCUS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-37148
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 30.79%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:43
Updated-14 Oct, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel Panic triggered by Modified Ethernet Frames leads to Denial of Service Vulnerability

A vulnerability in the parsing of ethernet frames in AOS-8 Instant and AOS 10 could allow an unauthenticated remote attacker to conduct a denial of service attack. Successful exploitation could allow an attacker to potentially disrupt network services and require manual intervention to restore functionality.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-ArubaOS (AOS)
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-37147
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.1||HIGH
EPSS-0.02% / 3.65%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:42
Updated-14 Oct, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Secure Boot Bypass allows for Compromise of Hardware Root of Trust

A Secure Boot Bypass Vulnerability exists in affected Access Points that allows an adversary to bypass the hardware root of trust verification in place to ensure only vendor-signed firmware can execute on the device. An adversary can exploit this vulnerability to run modified or custom firmware on affected Access Points.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-ArubaOS (AOS)
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2025-37146
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-0.22% / 44.07%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:42
Updated-16 Oct, 2025 | 03:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized Filesystem Operations in System Firmware allow Authenticated Remote Code Execution

A vulnerability in the web-based management interface of network access point configuration services could allow an authenticated remote attacker to perform remote command execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-ArubaOS (AOS)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-36730
Assigner-Tenable Network Security, Inc.
ShareView Details
Assigner-Tenable Network Security, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.03% / 9.34%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 16:24
Updated-14 Oct, 2025 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windsurf Prompt Injection via Filename

A prompt injection vulnerability exists in Windsurft version 1.10.7 in Write mode using SWE-1 model. It is possible to create a file name that will be appended to the user prompt causing Windsurf to follow its instructions.

Action-Not Available
Vendor-Windsurf
Product-Windsurf
CWE ID-CWE-1427
Improper Neutralization of Input Used for LLM Prompting
CVE-2025-37149
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6||MEDIUM
EPSS-0.02% / 3.26%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 15:55
Updated-28 Oct, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential out-of-bound reads vulnerability in HPE ProLiant RL300 Gen11 Server's UEFI firmware.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-ProLiant RL300 Gen11 Server
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-11577
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-7.6||HIGH
EPSS-0.03% / 6.99%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 15:34
Updated-15 Oct, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Clevo UEFI firmware exposed Boot Guard private keys, enabling potential abuse of the Boot Guard trust chain

Clevo’s UEFI firmware update packages, including B10717.exe, inadvertently contained private signing keys used for Boot Guard and Boot Policy Manifest verification. The exposure of these keys could allow attackers to sign malicious firmware that appears trusted by affected systems, undermining the integrity of the early boot process.

Action-Not Available
Vendor-Clevo
Product-Notebook System Firmware
CVE-2025-8429
Assigner-Centreon
ShareView Details
Assigner-Centreon
CVSS Score-6.8||MEDIUM
EPSS-0.01% / 0.79%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 15:29
Updated-22 Oct, 2025 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A user with elevated privileges can inject XSS in the ACL Action access configuration page

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (ACL Action access configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.

Action-Not Available
Vendor-CENTREON
Product-centreon_webInfra Monitoring
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-54893
Assigner-Centreon
ShareView Details
Assigner-Centreon
CVSS Score-6.8||MEDIUM
EPSS-0.01% / 0.79%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 15:24
Updated-22 Oct, 2025 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A user with elevated privileges can inject XSS in the Hosts templates configuration page

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts templates configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.

Action-Not Available
Vendor-CENTREON
Product-centreon_webInfra Monitoring
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31514
Assigner-Fortinet, Inc.
ShareView Details
Assigner-Fortinet, Inc.
CVSS Score-2.6||LOW
EPSS-0.04% / 12.79%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 15:23
Updated-14 Jan, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Insertion of Sensitive Information into Log File vulnerability [CWE-532] in FortiOS 7.6.0 through 7.6.3, 7.4 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an attacker with at least read-only privileges to retrieve sensitive 2FA-related information via observing logs or via diagnose command.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosfortiproxyFortiProxyFortiOS
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2025-46774
Assigner-Fortinet, Inc.
ShareView Details
Assigner-Fortinet, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.01% / 0.54%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 15:23
Updated-14 Jan, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiClient MacOS installer version 7.4.2 and below, version 7.2.9 and below, 7.0 all versions may allow a local user to escalate their privileges via FortiClient related executables.

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlientFortiClientMac
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2025-54822
Assigner-Fortinet, Inc.
ShareView Details
Assigner-Fortinet, Inc.
CVSS Score-4.2||MEDIUM
EPSS-0.04% / 10.67%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 15:23
Updated-14 Jan, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper authorization vulnerability [CWE-285] vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.8, FortiOS 7.0.0 through 7.0.11, FortiProxy 7.4.0 through 7.4.8, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiProxy 2.0 all versions allows an authenticated attacker to access static files of others VDOMs via crafted HTTP or HTTPS requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosfortiproxyFortiProxyFortiOS
CWE ID-CWE-285
Improper Authorization
  • Previous
  • 1
  • 2
  • ...
  • 267
  • 268
  • 269
  • ...
  • 6566
  • 6567
  • Next