ACT NOW CVE-2025-1094 8.1 PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperly neutralize quoting syntax, enabling SQL injection when function results are used to construct psql input. This vulnerability was used as the initial access vector in the BeyondTrust RS compromise chain. | ACT NOW CVE-2025-0111 7.1 Palo Alto Networks PAN-OS management interface contains an authenticated file read vulnerability allowing reading of files accessible to the 'nobody' user, exploited alongside CVE-2025-0108 for configuration extraction. | ACT NOW CVE-2025-0108 8.8 Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers to invoke PHP scripts, potentially leading to system compromise when chained with other vulnerabilities. | ACT NOW CVE-2025-21418 7.8 Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation to SYSTEM, exploited in the wild in February 2025. | ACT NOW CVE-2025-21391 7.1 Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attackers to delete targeted files, enabling privilege escalation. | ACT NOW CVE-2025-24472 8.1 FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/downstream device serial numbers to gain super-admin privileges on downstream devices. | EMERGENCY CVE-2025-24016 9.9 Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers. | EMERGENCY CVE-2025-24786 10.0 WhoDB open-source database management tool allows unauthenticated path traversal to access any SQLite3 database on the host machine. Beyond data exposure, affected versions enable reading sensitive system files and executing arbitrary commands through SQLite extensions, achieving full server compromise. | ACT NOW CVE-2025-0994 8.6 Trimble Cityworks asset management platform contains a deserialization vulnerability allowing authenticated users to achieve remote code execution on the IIS web server hosting the application. | EMERGENCY CVE-2024-48445 9.8 An issue in compop.ca ONLINE MALL v.3.5.3 allows a remote attacker to execute arbitrary code via the rid, tid, et, and ts parameters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.9%. | EMERGENCY CVE-2025-0364 9.8 BigAntSoft BigAnt Server, up to and including version 5.6.06, is vulnerable to unauthenticated remote code execution via account registration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.3%. | ACT NOW CVE-2024-40891 8.8 Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, companion vulnerability to CVE-2024-40890 affecting the same unsupported device. | ACT NOW CVE-2024-40890 8.8 Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication OS command injection in the CGI program, allowing authenticated attackers to execute OS commands via crafted HTTP POST requests. No patch available (EOL device). | ACT NOW CVE-2025-25181 5.8 A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | ACT NOW CVE-2024-57968 9.9 Advantive VeraCore warehouse management system allows authenticated users to upload files to unintended directories, enabling web shell deployment through the upload.aspx endpoint. | EMERGENCY CVE-2025-24085 10.0 Apple CoreMedia contains a use-after-free vulnerability allowing malicious applications to elevate privileges, exploited in the wild against iOS versions before iOS 17.2 as part of targeted surveillance operations. | ACT NOW CVE-2025-22604 9.1 Cacti versions prior to 1.2.29 contain an authenticated command injection through the SNMP result parser. By injecting malformed OIDs into SNMP responses, authenticated users can execute arbitrary system commands when the results are processed by the ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes() functions. | ACT NOW CVE-2025-0411 7.0 7-Zip contains a Mark-of-the-Web bypass vulnerability allowing attackers to circumvent Windows security warnings when extracting files from malicious archives, exploited in campaigns targeting Ukrainian organizations. | ACT NOW CVE-2025-23006 9.8 SonicWall SMA1000 AMC and CMC contain a pre-authentication deserialization vulnerability allowing unauthenticated remote attackers to execute arbitrary OS commands on the management appliance. | ACT NOW CVE-2025-23209 8.0 Craft CMS 4 and 5 contain a remote code execution vulnerability exploitable when the application's security key has been compromised, allowing attackers with the key to execute arbitrary code on the server. |

ACT NOW CVE-2025-1094 8.1 PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperly neutralize quoting syntax, enabling SQL injection when function results are used to construct psql input. This vulnerability was used as the initial access vector in the BeyondTrust RS compromise chain. | ACT NOW CVE-2025-0111 7.1 Palo Alto Networks PAN-OS management interface contains an authenticated file read vulnerability allowing reading of files accessible to the 'nobody' user, exploited alongside CVE-2025-0108 for configuration extraction. | ACT NOW CVE-2025-0108 8.8 Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers to invoke PHP scripts, potentially leading to system compromise when chained with other vulnerabilities. | ACT NOW CVE-2025-21418 7.8 Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation to SYSTEM, exploited in the wild in February 2025. | ACT NOW CVE-2025-21391 7.1 Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attackers to delete targeted files, enabling privilege escalation. | ACT NOW CVE-2025-24472 8.1 FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/downstream device serial numbers to gain super-admin privileges on downstream devices. | EMERGENCY CVE-2025-24016 9.9 Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers. | EMERGENCY CVE-2025-24786 10.0 WhoDB open-source database management tool allows unauthenticated path traversal to access any SQLite3 database on the host machine. Beyond data exposure, affected versions enable reading sensitive system files and executing arbitrary commands through SQLite extensions, achieving full server compromise. | ACT NOW CVE-2025-0994 8.6 Trimble Cityworks asset management platform contains a deserialization vulnerability allowing authenticated users to achieve remote code execution on the IIS web server hosting the application. | EMERGENCY CVE-2024-48445 9.8 An issue in compop.ca ONLINE MALL v.3.5.3 allows a remote attacker to execute arbitrary code via the rid, tid, et, and ts parameters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.9%. | EMERGENCY CVE-2025-0364 9.8 BigAntSoft BigAnt Server, up to and including version 5.6.06, is vulnerable to unauthenticated remote code execution via account registration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.3%. | ACT NOW CVE-2024-40891 8.8 Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, companion vulnerability to CVE-2024-40890 affecting the same unsupported device. | ACT NOW CVE-2024-40890 8.8 Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication OS command injection in the CGI program, allowing authenticated attackers to execute OS commands via crafted HTTP POST requests. No patch available (EOL device). | ACT NOW CVE-2025-25181 5.8 A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | ACT NOW CVE-2024-57968 9.9 Advantive VeraCore warehouse management system allows authenticated users to upload files to unintended directories, enabling web shell deployment through the upload.aspx endpoint. | EMERGENCY CVE-2025-24085 10.0 Apple CoreMedia contains a use-after-free vulnerability allowing malicious applications to elevate privileges, exploited in the wild against iOS versions before iOS 17.2 as part of targeted surveillance operations. | ACT NOW CVE-2025-22604 9.1 Cacti versions prior to 1.2.29 contain an authenticated command injection through the SNMP result parser. By injecting malformed OIDs into SNMP responses, authenticated users can execute arbitrary system commands when the results are processed by the ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes() functions. | ACT NOW CVE-2025-0411 7.0 7-Zip contains a Mark-of-the-Web bypass vulnerability allowing attackers to circumvent Windows security warnings when extracting files from malicious archives, exploited in campaigns targeting Ukrainian organizations. | ACT NOW CVE-2025-23006 9.8 SonicWall SMA1000 AMC and CMC contain a pre-authentication deserialization vulnerability allowing unauthenticated remote attackers to execute arbitrary OS commands on the management appliance. | ACT NOW CVE-2025-23209 8.0 Craft CMS 4 and 5 contain a remote code execution vulnerability exploitable when the application's security key has been compromised, allowing attackers with the key to execute arbitrary code on the server. |