This post is back after a summer break, regular Monday posts resume next week.

The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2025-7775

• Severity: 9.2 CRITICAL
• Impacted Products: NetScaler ADC and NetScaler Gateway
• Description: Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-7775
• PoC: https://github.com/hacker-r3volv3r/CVE-2025-7775-PoC/

CVE-2025-42999

• Severity: 9.1 CRITICAL
• Impacted Products: SAP NetWeaver Visual Composer Metadata Uploader
• Description: SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-42999
• PoC: https://github.com/antichainalysis/sap-netweaver-0day-CVE-2025-31324/ (the CVE number differs because 3124 is used to bypass auth and 42999 to execute code)

CVE-2025-31324

• Severity: 9.8 CRITICAL
• Impacted Products: SAP NetWeaver Visual Composer Metadata Uploader
• Description: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-31324
• PoC: https://github.com/nullcult/CVE-2025-31324-File-Upload/

CVE-2025-43300

• Severity: 8.8 HIGH
• Impacted Products: Varios Apple releases prior to: macOS Sonoma 14.7.8, macOS Ventura 13.7.8, iPadOS 17.7.10, macOS Sequoia 15.6.1, iOS 18.6.2 and iPadOS 18.6.2
• Description: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-43300
• PoC: https://github.com/hunters-sec/CVE-2025-43300

CVE-2025-48384

• Severity: 8 HIGH
• Impacted Products: git prior to v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1
• Description: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-48384
• PoC: https://github.com/nguyentranbaotran/cve-2025-48384-poc/

CVE-2025-9074

• Severity: Awaiting analysis - probably Medium
• Impacted Products: Docker Desktop 4.25 through prior to 4.44.3
• Description: A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and with or without the “Expose daemon on tcp://localhost:2375 without TLS” option enabled. This can lead to execution of a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, managing images etc. In some circumstances (e.g. Docker Desktop for Windows with WSL backend) it also allows mounting the host drive with the same privileges as the user running Docker Desktop.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-9074
• PoC: https://github.com/j3r1ch0123/CVE-2025-9074/

CVE-2025-8723

• Severity: 9.8 CRITICAL
• Impacted Products: Cloudflare Image Resizing plugin for WordPress >= 1.5.6
• Description: The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook-rest-pre-dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-8723
• PoC: https://github.com/Nxploited/CVE-2025-8723/

CVE-2025-55346

• Severity: 9.8 CRITICAL
• Impacted Products: flowise
• Description: User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request. Depending on the version of Flowise this could lead to either unauthenticated or authenticated remote code execution.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-55346
• PoC: https://research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925/

CVE-2025-53770

• Severity: 9.8 CRITICAL
• Impacted Products: Hosted Sharepoint Server
• Description: Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-53770
• PoC: https://github.com/B1ack4sh/Blackash-CVE-2025-53770/

CVE-2025-27363

• Severity: 8.1 HIGH
• Impacted Products: FreeType versions 2.13.0 and below
• Description: An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-27363
• PoC: https://github.com/ov3rf1ow/CVE-2025-27363

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.