ACT NOW CVE-2025-2749 7.2 Remote code execution in Kentico Xperience CMS versions through 13.0.178 allows authenticated administrators to upload arbitrary files to controlled server paths via path traversal in the Staging Sync Server component. Confirmed actively exploited in the wild (CISA KEV). Public exploit available with detailed bypass techniques. EPSS score of 1.23% (79th percentile) suggests targeted exploitation rather than widespread scanning. While CVSS 7.2 requires high-privilege (administrator) authentication, active exploitation status makes this a priority for organizations running Kentico CMS. | ACT NOW CVE-2025-2747 9.8 Kentico Xperience contains a second authentication bypass in the Staging Sync Server through None-type password handling, allowing administrative control. Companion to CVE-2025-2746. | ACT NOW CVE-2025-2746 9.8 Kentico Xperience through 13.0.172 contains an authentication bypass in the Staging Sync Server through empty SHA1 username handling in digest authentication, allowing administrative object control. | ACT NOW CVE-2025-2620 9.3 A vulnerability has been found in D-Link DAP-1620 1.03 and classified as critical. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.6%. | ACT NOW CVE-2025-29927 9.1 Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer. | ACT NOW CVE-2024-6842 7.5 AnythingLLM version 1.5.5 exposes sensitive system settings including search engine API keys through the unauthenticated /setup-complete endpoint. Attackers can steal API keys, enumerate system configuration, and leverage exposed credentials to compromise integrated services. | ACT NOW CVE-2025-30154 8.6 reviewdog/action-setup GitHub Action was compromised with malicious code that dumped CI/CD secrets to workflow logs, affecting all reviewdog actions that depend on this setup action. | ACT NOW CVE-2025-30066 8.6 tj-actions/changed-files GitHub Action was compromised in a supply chain attack where modified tags pointed to credential-stealing code, exposing secrets from GitHub Actions workflows across thousands of repositories. | EMERGENCY CVE-2025-29384 9.8 In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.6%. | ACT NOW CVE-2025-2264 7.5 Sante PACS Server contains an unauthenticated path traversal vulnerability that allows remote attackers to download arbitrary files from the server's installation drive. Medical imaging servers typically contain DICOM files with protected health information (PHI), making this a significant healthcare data breach vector. | ACT NOW CVE-2025-25291 9.3 ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.8%. | ACT NOW CVE-2025-24201 10.0 A critical out-of-bounds write in WebKit's rendering engine allows maliciously crafted web content to escape the Web Content sandbox, achieving native code execution on Apple devices. Rated CVSS 10.0 and KEV-listed, CVE-2025-24201 is a supplementary fix for a previously patched vulnerability that was being actively exploited in extremely sophisticated targeted attacks. Affects all Apple platforms: iOS, iPadOS, macOS, Safari, visionOS, and watchOS. | ACT NOW CVE-2025-26633 7.0 A security feature bypass in Microsoft Management Console (MMC) allows attackers to evade security warnings and execute malicious code locally. KEV-listed and tracked as CVE-2025-26633, this vulnerability has been actively exploited by the Water Gamayun threat group (also tracked as EncryptHub) using crafted .msc files to deploy info-stealing malware. Public PoC is available and EPSS is 7.1%. | ACT NOW CVE-2025-24993 7.8 A heap-based buffer overflow in the Windows NTFS driver allows unauthenticated local code execution, providing kernel-level access when a user mounts a crafted NTFS filesystem image. This KEV-listed vulnerability (CVE-2025-24993) targets the most widely used Windows filesystem, making it a significant threat through malicious USB drives, VHD files, or network shares. | ACT NOW CVE-2025-24985 7.8 An integer overflow in the Windows Fast FAT Driver allows unauthenticated local code execution through crafted FAT filesystem images. KEV-listed with public PoC, this vulnerability (CVE-2025-24985) can be triggered by mounting a malicious USB drive or VHD file, making it a potent vector for physical access attacks and social engineering scenarios. | ACT NOW CVE-2025-24984 4.6 Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack. [CVSS 4.6 MEDIUM] [CISA KEV - actively exploited] | ACT NOW CVE-2025-24983 7.0 A use-after-free vulnerability in the Windows Win32 Kernel Subsystem enables local privilege escalation from authorized user to SYSTEM level. This KEV-listed vulnerability (CVE-2025-24983) requires the attacker to win a race condition but has been actively exploited in targeted attacks. Microsoft has released patches for all supported Windows versions. | ACT NOW CVE-2025-27363 8.1 Arbitrary code execution in FreeType 2.13.0 and earlier via heap buffer overflow when parsing TrueType GX/variable font subglyph structures. Confirmed actively exploited in the wild (CISA KEV). Attack requires high complexity but no authentication, affecting widespread deployments including Android, Debian, and applications embedding FreeType for font rendering. EPSS score of 76.15% (99th percentile) reflects significant real-world exploitation risk. Vendor patches available; immediate upgrade to post-2.13.0 versions critical. | EMERGENCY CVE-2024-54085 9.8 A critical authentication bypass in AMI SPx BMC firmware allows unauthenticated remote attackers to gain full control of server hardware through the Redfish Host Interface. This KEV-listed vulnerability (CVSS 9.8) threatens the entire server fleet of organizations using AMI-based BMC implementations, enabling attackers to persist below the OS layer where traditional security tools cannot detect them. | EMERGENCY CVE-2025-24813 9.8 A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2. | EMERGENCY CVE-2025-25632 9.8 Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.8%. | EMERGENCY CVE-2025-1316 9.3 Edimax IC-7100 IP camera allows unauthenticated remote code execution through improper neutralization of requests, with no patch available as the device is end-of-life. | EMERGENCY CVE-2025-26319 9.8 FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Unauthenticated attackers can upload malicious files including executable scripts, achieving remote code execution on the Flowise server. | ACT NOW CVE-2025-22226 7.1 VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowing VM administrators to leak memory from the VMX process on the host. | ACT NOW CVE-2025-22225 8.2 VMware ESXi contains an arbitrary write vulnerability that allows privileged VMX process users to trigger kernel writes, enabling escape from the VMX sandbox to the ESXi kernel. | EMERGENCY CVE-2025-22224 9.3 VMware ESXi and Workstation contain a TOCTOU race condition leading to out-of-bounds write, allowing local administrators on VMs to escape the sandbox and execute code as the VMX process on the host. | ACT NOW CVE-2024-48248 8.6 NAKIVO Backup & Replication contains an absolute path traversal allowing unauthenticated remote attackers to read arbitrary files, including configuration files with cleartext credentials for physical discovery operations. | ACT NOW CVE-2025-26264 8.8 GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.5%. | ACT NOW CVE-2025-22952 9.8 elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.0%. | ACT NOW CVE-2024-13869 7.2 The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.7%. |

ACT NOW CVE-2025-2749 7.2 Remote code execution in Kentico Xperience CMS versions through 13.0.178 allows authenticated administrators to upload arbitrary files to controlled server paths via path traversal in the Staging Sync Server component. Confirmed actively exploited in the wild (CISA KEV). Public exploit available with detailed bypass techniques. EPSS score of 1.23% (79th percentile) suggests targeted exploitation rather than widespread scanning. While CVSS 7.2 requires high-privilege (administrator) authentication, active exploitation status makes this a priority for organizations running Kentico CMS. | ACT NOW CVE-2025-2747 9.8 Kentico Xperience contains a second authentication bypass in the Staging Sync Server through None-type password handling, allowing administrative control. Companion to CVE-2025-2746. | ACT NOW CVE-2025-2746 9.8 Kentico Xperience through 13.0.172 contains an authentication bypass in the Staging Sync Server through empty SHA1 username handling in digest authentication, allowing administrative object control. | ACT NOW CVE-2025-2620 9.3 A vulnerability has been found in D-Link DAP-1620 1.03 and classified as critical. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.6%. | ACT NOW CVE-2025-29927 9.1 Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer. | ACT NOW CVE-2024-6842 7.5 AnythingLLM version 1.5.5 exposes sensitive system settings including search engine API keys through the unauthenticated /setup-complete endpoint. Attackers can steal API keys, enumerate system configuration, and leverage exposed credentials to compromise integrated services. | ACT NOW CVE-2025-30154 8.6 reviewdog/action-setup GitHub Action was compromised with malicious code that dumped CI/CD secrets to workflow logs, affecting all reviewdog actions that depend on this setup action. | ACT NOW CVE-2025-30066 8.6 tj-actions/changed-files GitHub Action was compromised in a supply chain attack where modified tags pointed to credential-stealing code, exposing secrets from GitHub Actions workflows across thousands of repositories. | EMERGENCY CVE-2025-29384 9.8 In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.6%. | ACT NOW CVE-2025-2264 7.5 Sante PACS Server contains an unauthenticated path traversal vulnerability that allows remote attackers to download arbitrary files from the server's installation drive. Medical imaging servers typically contain DICOM files with protected health information (PHI), making this a significant healthcare data breach vector. | ACT NOW CVE-2025-25291 9.3 ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.8%. | ACT NOW CVE-2025-24201 10.0 A critical out-of-bounds write in WebKit's rendering engine allows maliciously crafted web content to escape the Web Content sandbox, achieving native code execution on Apple devices. Rated CVSS 10.0 and KEV-listed, CVE-2025-24201 is a supplementary fix for a previously patched vulnerability that was being actively exploited in extremely sophisticated targeted attacks. Affects all Apple platforms: iOS, iPadOS, macOS, Safari, visionOS, and watchOS. | ACT NOW CVE-2025-26633 7.0 A security feature bypass in Microsoft Management Console (MMC) allows attackers to evade security warnings and execute malicious code locally. KEV-listed and tracked as CVE-2025-26633, this vulnerability has been actively exploited by the Water Gamayun threat group (also tracked as EncryptHub) using crafted .msc files to deploy info-stealing malware. Public PoC is available and EPSS is 7.1%. | ACT NOW CVE-2025-24993 7.8 A heap-based buffer overflow in the Windows NTFS driver allows unauthenticated local code execution, providing kernel-level access when a user mounts a crafted NTFS filesystem image. This KEV-listed vulnerability (CVE-2025-24993) targets the most widely used Windows filesystem, making it a significant threat through malicious USB drives, VHD files, or network shares. | ACT NOW CVE-2025-24985 7.8 An integer overflow in the Windows Fast FAT Driver allows unauthenticated local code execution through crafted FAT filesystem images. KEV-listed with public PoC, this vulnerability (CVE-2025-24985) can be triggered by mounting a malicious USB drive or VHD file, making it a potent vector for physical access attacks and social engineering scenarios. | ACT NOW CVE-2025-24984 4.6 Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack. [CVSS 4.6 MEDIUM] [CISA KEV - actively exploited] | ACT NOW CVE-2025-24983 7.0 A use-after-free vulnerability in the Windows Win32 Kernel Subsystem enables local privilege escalation from authorized user to SYSTEM level. This KEV-listed vulnerability (CVE-2025-24983) requires the attacker to win a race condition but has been actively exploited in targeted attacks. Microsoft has released patches for all supported Windows versions. | ACT NOW CVE-2025-27363 8.1 Arbitrary code execution in FreeType 2.13.0 and earlier via heap buffer overflow when parsing TrueType GX/variable font subglyph structures. Confirmed actively exploited in the wild (CISA KEV). Attack requires high complexity but no authentication, affecting widespread deployments including Android, Debian, and applications embedding FreeType for font rendering. EPSS score of 76.15% (99th percentile) reflects significant real-world exploitation risk. Vendor patches available; immediate upgrade to post-2.13.0 versions critical. | EMERGENCY CVE-2024-54085 9.8 A critical authentication bypass in AMI SPx BMC firmware allows unauthenticated remote attackers to gain full control of server hardware through the Redfish Host Interface. This KEV-listed vulnerability (CVSS 9.8) threatens the entire server fleet of organizations using AMI-based BMC implementations, enabling attackers to persist below the OS layer where traditional security tools cannot detect them. | EMERGENCY CVE-2025-24813 9.8 A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2. | EMERGENCY CVE-2025-25632 9.8 Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.8%. | EMERGENCY CVE-2025-1316 9.3 Edimax IC-7100 IP camera allows unauthenticated remote code execution through improper neutralization of requests, with no patch available as the device is end-of-life. | EMERGENCY CVE-2025-26319 9.8 FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Unauthenticated attackers can upload malicious files including executable scripts, achieving remote code execution on the Flowise server. | ACT NOW CVE-2025-22226 7.1 VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowing VM administrators to leak memory from the VMX process on the host. | ACT NOW CVE-2025-22225 8.2 VMware ESXi contains an arbitrary write vulnerability that allows privileged VMX process users to trigger kernel writes, enabling escape from the VMX sandbox to the ESXi kernel. | EMERGENCY CVE-2025-22224 9.3 VMware ESXi and Workstation contain a TOCTOU race condition leading to out-of-bounds write, allowing local administrators on VMs to escape the sandbox and execute code as the VMX process on the host. | ACT NOW CVE-2024-48248 8.6 NAKIVO Backup & Replication contains an absolute path traversal allowing unauthenticated remote attackers to read arbitrary files, including configuration files with cleartext credentials for physical discovery operations. | ACT NOW CVE-2025-26264 8.8 GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.5%. | ACT NOW CVE-2025-22952 9.8 elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.0%. | ACT NOW CVE-2024-13869 7.2 The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.7%. |