CVE-2025-31324 (CVSS 9.8), published on April 24th 2025, allows unauthenticated attackers to upload executable files [CWE-434] via the NetWeaver Visual Composer component which can result in Remote Code Execution (RCE). The CVE presents a high degree of risk; many publicly available proof-of-concept (PoC) exploits [1][2][3][4][5] are available, and active attack campaigns have been alerted by […]
In the early days of digital, hacking was often fame or prank driven. Fast forward to 2025; hacking has been widely monetized for illicit gains. Cybercrime is predicted to cost the global economy 10.5 trillion Dollar in 2025. Globally, the trend of increasing geocriminality is pushing individual countries and entire economic regions [1][2] to make […]
CVE-2025-34028 (CVSS 10) is a maximum severity flaw in Commvault Command Center, a popular admin console for managing IT security services such as data protection and backups across enterprise environments. As of April 28th, CVE-2025-34028 has been flagged as actively exploited. CVE-2025-34028 also presents heightened risk due to the existence of publicly available proof-of-concept (PoC) […]
When it comes to protecting your organization from digital threats, who should you trust? Reality dictates that high-resilience IT security is forged from a network of strong partnerships, defense in depth; layered security controls, and regular auditing. Defensive posture needs to be monitored, measured and continuously improved. While vulnerability management has always been a core […]
A new critical vulnerability of the highest possible severity score – CVE-2024-54085, CVSS 10 – has just been disclosed. It is found in the widely used American Megatrends’ (AMI) MegaRAC BMC (Baseboard Management Controller) software allowing authentication bypass and exploitation. Due to AMI’s dominant role in the motherboard supply chain, dozens of major hardware vendors […]
CVE-2024-4577 (CVSS 9.8 Critical) is currently climbing the winners’ podium of the most malicious security vulnerabilities. Disclosed in early June 2024 by Devcore security researchers, weaponization began within a mere 48 hours. It is a PHP-CGI OS Command Injection vulnerability [CWE-78] impacting PHP for Windows. Attacks distributing “TellYouThePass” ransomware were immediately observed and the CVE […]
Two new CVEs in Apache Camel have been disclosed warranting immediate attention from users. On March 9, 2025, Apache disclosed CVE-2025-27636 (CVSS 5.6), a Remote Code Execution (RCE) flaw. Two days later, on March 11th, Akamai’s Security Intelligence Group (SIG) reported a bypass technique for the original patch, resulting in CVE-2025-29891 (CVSS 4.2) being published […]
Cyber threats are evolving at breakneck speed, but the fundamental weaknesses attackers exploit remain strikingly unchanged. So far in 2025, many analysts have published landscape reviews of 2024 and outlooks for 2025. The cost of cyber breaches is ticking upwards, but overall, cyber breach root-causes have not changed. Phishing [T1566] and exploiting known software vulnerabilities […]
Every product has a due date, but customers often have little warning and no recourse when a vendor decides to sunset a product. Once a vendor designates a product as end-of-life (EOL) or end-of-service (EOS), managing associated risks becomes more complex. Risk is magnified when cyber criminals find and exploit vulnerabilities that will never be […]
Trimble Cityworks, an enterprise asset management (EAM) and public works management software is actively under attack. The campaign began as an unknown (zero-day) vulnerability, but is now tracked as CVE-2025-0994 with a CVSS of 8.6. The vulnerability is a deserialization flaw [CWE-502] that could allow an authenticated attacker to execute arbitrary code remotely (Remote Code […]
