CER

Veeam has released a series of critical security updates to its Backup & Replication software, addressing multiple flaws, including a vulnerability classified as “critical” that could lead to remote code execution (RCE). Critical Remote Code Execution (RCE) Vulnerability The most notable vulnerability is CVE-2025-59470, which has a CVSS score of 9.0. This flaw allows a Backup or Tape operator to perform remote code execution as the postgres user by sending a malicious interval or order parameter. ...

Critical Vulnerability Warning in SmarterTools SmarterMail The Cyber Security Agency of Singapore (CSA) has issued an alert regarding a major security flaw in the SmarterTools SmarterMail email software. This vulnerability, with a CVSS score of 10.0, could be exploited to achieve remote code execution (RCE) without the need for authentication. Vulnerability Details (CVE-2025-52691) The vulnerability, identified as CVE-2025-52691, is a case of arbitrary file upload. This means that an unauthenticated attacker could upload files of any type to any location on the mail server. If these malicious files (such as web shells or binaries) are interpreted and executed as code by the application environment, the attacker could gain control with the same privileges as the SmarterMail service. ...

Hewlett Packard Enterprise (HPE) has announced the resolution of a maximum severity security vulnerability in its OneView software. The flaw, if successfully exploited, could allow remote code execution. The critical vulnerability has been identified as CVE-2025-37164 and has a CVSS score of 10.0. HPE OneView is an IT infrastructure management tool that simplifies operations and enables centralized control of all systems. Vulnerability Details (CVE-2025-37164) The security flaw allows an unauthenticated, remote attacker to perform code execution on the affected system. HPE has issued a security warning urging users to take immediate action. ...

A recent investigation has revealed more than 30 security vulnerabilities in several Integrated Development Environments (IDEs) powered by artificial intelligence (AI). These flaws, collectively called “IDEsaster”, combine prompt injection primitives with legitimate IDE features to achieve data exfiltration and remote code execution (RCE). Security researcher Ari Marzouk (MaccariTA) discovered that the vulnerabilities affect popular IDEs and extensions such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie and Cline, among others. Of these, 24 vulnerabilities have been given CVE identifiers. ...

Two hacking groups linked to China have been detected weaponizing the newly disclosed vulnerability in React Server Components (RSC), known as React2Shell. The exploit was observed just hours after the existence of the flaw was made public, underscoring how quickly threat actors integrate new exploits into their campaigns. The React2Shell Vulnerability (CVE-2025-55182) The vulnerability in question is CVE-2025-55182, which has received a CVSS score of 10.0, indicating its maximum severity. This flaw allows unauthenticated remote code execution (RCE). ...

Security researchers at Oligo Security have discovered five vulnerabilities in Fluent Bit, a lightweight, open-source telemetry agent, that could be chained together to compromise and take control of cloud infrastructures. Fluent Bit is widely used in enterprise environments, and successful exploitation of these flaws could allow attackers to disrupt cloud services, manipulate data, and delve into Kubernetes and cloud infrastructures. Details of Vulnerabilities The identified security flaws allow attackers to bypass authentication, perform path traversal, achieve remote code execution (RCE), cause denial of service (DoS) conditions, and manipulate tags. The five vulnerabilities are detailed below: ...

A newly disclosed security vulnerability affecting 7-Zip is being actively exploited in practice, according to an advisory issued by the United Kingdom’s NHS England Digital. The vulnerability allows remote attackers to execute arbitrary code on affected systems. Vulnerability Details (CVE-2025-11001) The primary vulnerability, identified as CVE-2025-11001 (with a CVSS score of 7.0), lies in the handling of symbolic links within ZIP files. Exploitation Mechanism: Attackers can create crafted data within a ZIP archive that forces the decompression process to traverse unwanted directories. Impact: Allows remote code execution (RCE) in the context of the affected user or service account. Discovery: The flaw was discovered and reported by Ryota Shiga of GMO Flatt Security Inc., with the help of the AI-powered AppSec Auditor Takumi audit tool. Related Vulnerability (CVE-2025-11002) The 7-Zip version 25.00 update also addresses another similar flaw, CVE-2025-11002 (CVSS score of 7.0). This vulnerability also exploits improper handling of symbolic links in ZIP files to achieve directory traversal and RCE. Both flaws were introduced in 7-Zip version 21.02. ...