tonyharris.io

PoC Week 2025-10-21

Posted on Oct 21, 2025

The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2025-27363

  • Severity: 8.1 HIGH
  • Impacted Products: FreeType versions 2.13.0 and below
  • Description: An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-27363
  • PoC: https://github.com/ov3rf1ow/CVE-2025-27363

CVE-2025-11371

  • Severity: 8.1 HIGH
  • Impacted Products: Gladinet CentreStack and TrioFox <=16.7.10368.56560
  • Description: In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-11371
  • PoC: https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw

References

This list was scraped from the quite amazing and highly recommended newsletters below:

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.