The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2025-59287

• Severity: 9.8 CRITICAL
• Impacted Products: Windows Server - various versions
• Description: Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-59287
• PoC: https://github.com/mrk336/Breaking-the-Update-Chain-Inside-CVE-2025-59287-and-the-WSUS-RCE-Threat/

CVE-2025-24893

• Severity: 9.8 CRITICAL
• Impacted Products: XWiki Platform
• Description: Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to <host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed contains Hello from search text:42, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit Main.SolrSearchMacros in SolrSearchMacros.xml on line 955 to match the rawResponse macro in macros.vm#L2824 with a content type of application/xml, instead of simply outputting the content of the feed.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-24893
• PoC: https://github.com/iSee857/CVE-2025-24893-PoC/

CVE-2025-9242

• Severity: 9.3 CRITICAL
• Impacted Products: Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
• Description: An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-9242
• PoC: https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/

CVE-2025-64095

• Severity: 9.8 CRITICAL
• Impacted Products: DNN < 10.1.1
• Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads. This vulnerability is fixed in 10.1.1.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-64095
• PoC: https://github.com/NationalServices/CVE-2025-64095-DotNetNuke-DNN_PoC

CVE-2025-61304

• Severity: Under analysis
• Impacted Products: Dynatrace ActiveGate ping extension up to 1.016
• Description: OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-61304
• PoC: https://github.com/pentastic-be/CVE-2025-61304

CVE-2025-61128

• Severity: Under analysis
• Impacted Products: WAVLINK QUANTUM D3G/WL-WN530HG3 firmware M30HG3_V240730
• Description: Stack-based buffer overflow vulnerability in WAVLINK QUANTUM D3G/WL-WN530HG3 firmware M30HG3_V240730, and possibly other wavlink models allows attackers to execute arbitrary code via crafted referrer value POST to login.cgi.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-61128
• PoC: https://gist.github.com/shinobu-alpha/6dd5ad7f83c16360f6564db0bc121e99

CVE-2025-48703

• Severity: 9.0 CRITICAL
• Impacted Products: CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205
• Description: CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-48703
• PoC: https://github.com/Skynoxk/CVE-2025-48703

CVE-2025-47776

• Severity: 9.0 CRITICAL
• Impacted Products: Mantis Bug Tracker 2.27.1 and below
• Description: Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparison in the authentication code in versions 2.27.1 and below.PHP type juggling will cause certain MD5 hashes matching scientific notation to be interpreted as numbers. Instances using the MD5 login method allow an attacker who knows the victim’s username and has access to an account with a password hash that evaluates to zero to log in without knowing the victim’s actual password, by using any other password with a hash that also evaluates to zero This issue is fixed in version 2.27.2.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-47776
• PoC: https://mantisbt.org/bugs/view.php?id=35967

CVE-2025-20337

• Severity: 10.0 CRITICAL
• Impacted Products: Cisco ISE and Cisco ISE-PIC
• Description: A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-20337
• PoC: https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability

CVE-2025-12539

• Severity: 10.0 CRITICAL
• Impacted Products: TNC Toolbox plugin for Wordpress <= 1.4.2
• Description: The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the “Tnc_Wp_Toolbox_Settings::save_settings” function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-12539
• PoC: https://github.com/Nxploited/CVE-2025-12539

CVE-2025-12463

• Severity: 9.8 CRITICAL
• Impacted Products: EFD-2130 camera running firmware version 1.12.0.19
• Description: An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the Group parameter in the /uapi-cgi/viewer/Param.cgi script. This has been confirmed on the EFD-2130 camera running firmware version 1.12.0.19.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-12463
• PoC: https://blog.blacklanternsecurity.com/p/cve-2025-12463-98-unauthenticated

CVE-2025-11953

• Severity: 9.8 CRITICAL
• Impacted Products: @react-native-community/cli-server-api v4.8.0 – v20.0.0-alpha.2
• Description: The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-11953
• PoC: https://github.com/B1ack4sh/Blackash-CVE-2025-11953/blob/main/README.md

CVE-2025-11749

• Severity: 9.8 CRITICAL
• Impacted Products: AI Engine plugin for WordPress <= 3.1.3
• Description: The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the ‘Bearer Token’ value when ‘No-Auth URL’ is enabled. This makes it possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-11749
• PoC: https://github.com/Nxploited/CVE-2025-11749

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.