vulnerability

Chromium developers have closed a high‑severity upstream bug — tracked as CVE‑2025‑10201 — that the Chromium project describes as an “inappropriate implementation in Mojo” which could be abused, via a crafted HTML page, to bypass Chrome’s site‑isolation protections on Android, Linux and...

A newly assigned Chromium vulnerability, CVE-2025-10200, is a use‑after‑free flaw in the ServiceWorker implementation that Google patched in its September stable updates; the bug allows a remote attacker, by luring a user to a crafted page, to trigger heap corruption and potentially achieve...

Daikin’s Security Gateway is affected by a critical pre‑authentication password‑reset flaw that lets an unauthenticated attacker reset device credentials to the factory default and take control of the appliance and any connected systems — the issue is tracked as CVE‑2025‑10127 and rated highly...

Siemens has confirmed a vulnerability in its APOGEE PXC and TALON TC building automation devices that allows an unauthenticated remote actor to retrieve sensitive files — including the device’s encrypted database — over BACnet, a widely used building automation protocol, a weakness now tracked...

Nullsoft Scriptable Install System (NSIS) code used inside several SIMOTION setup components contains a local privilege‑escalation flaw that Siemens and U.S. cyber authorities have republished as a coordinated advisory, warning that installing affected SIMOTION Tools on Windows can allow an...

Siemens’ cloud-hosted SIMATIC Virtualization as a Service (SIVaaS) has been found to expose a network share without authentication — a configuration defect that Siemens has cataloged as CVE-2025-40804 and scored as critical (CVSS v3.1 = 9.1; CVSS v4 = 9.3). This flaw allows unauthenticated...

Microsoft’s September 2025 Patch Tuesday shipped a wide-ranging set of fixes addressing 80 CVEs across Windows, Office, virtualization, and platform components — with eight rated Critical and 72 rated Important — and included several high-profile fixes for SMB, NTLM, NTFS, Office, SharePoint...

Newtonsoft.Json versions prior to 13.0.1 contain a well-documented flaw—tracked as CVE-2024-21907—where deeply nested or crafted JSON can force the library into a StackOverflow or resource‑exhaustion condition when parsing or serializing, producing a remote-denial‑of‑service (DoS) vector for...

Microsoft’s advisory for CVE-2025-55224 describes a concurrency flaw in the Windows kernel graphics component (Win32K — GRFX) that can be manipulated by an authorized local actor to gain code execution or elevate privileges on an affected system; the bug is a race condition (improper...

Microsoft’s Security Response Center has cataloged CVE-2025-54915 as an elevation-of-privilege vulnerability in the Windows Defender Firewall Service described as “Access of resource using incompatible type (‘type confusion’),” and the vendor advises that an authorized local attacker could...

Microsoft’s security update guide lists CVE‑2025‑54911 as a use‑after‑free defect in Windows BitLocker that can be triggered by an authorized local user to elevate privileges on affected machines, creating a high‑impact local elevation‑of‑privilege risk that administrators must treat as urgent...

Microsoft’s advisory classifies CVE-2025-54901 as a buffer over-read (out‑of‑bounds read) in Microsoft Office Excel that can disclose process memory contents when a crafted spreadsheet is opened. Executive summary What it is: CVE-2025-54901 is an information‑disclosure vulnerability in...

Improper access control in Windows MultiPoint Services (CVE-2025-54116) allows a locally authorized attacker to elevate their privileges on an affected host. Executive summary What it is: CVE-2025-54116 is an elevation-of-privilege (EoP) vulnerability in Microsoft’s Windows MultiPoint Services...

Microsoft released a hotpatch—KB5065474—on September 9, 2025, for Windows 11 Enterprise LTSC 2024 that updates eligible devices to OS Build 26100.6508 and delivers targeted security and quality fixes while calling attention to an important Secure Boot certificate expiration window and a specific...

A newly disclosed race‑condition vulnerability in the Windows Capability Access Management Service (camsvc) can be abused by a local attacker to escalate privileges to SYSTEM on unpatched hosts, and organizations should treat the advisory as a high‑priority patching event for affected Windows...

Microsoft has published an advisory for CVE-2025-54105 — a local elevation-of-privilege vulnerability in the Microsoft Brokering File System (BFS) caused by a concurrency bug (race condition) that can be exploited by an authenticated local user to gain elevated rights on the host. Background The...

Microsoft’s security advisory for CVE-2025-54094 identifies a type‑confusion flaw in the Windows Defender Firewall Service that can be triggered by an authorized local actor to perform a local Elevation of Privilege (EoP) — in short, an attacker with the ability to run code as a non‑privileged...

A newly disclosed vulnerability in Windows Routing and Remote Access Service (RRAS) — tracked as CVE-2025-53806 in the Microsoft Security Response Center entry provided by the reporter — is an out‑of‑bounds read / buffer over‑read that can allow an attacker to obtain memory contents from an...

Microsoft has published an advisory for CVE-2025-53801: an untrusted pointer dereference in the Windows Desktop Window Manager (DWM) Core Library that can be triggered by an authorized local user to elevate privileges on affected systems. The flaw resides in DWM’s memory handling and, when...

Microsoft’s advisory identifies CVE-2025-53803 as a Windows Kernel memory information disclosure vulnerability: an error message generated by kernel code can contain sensitive kernel memory contents, allowing an authenticated local actor to read data that should remain protected. Background The...