Week 51 – TOP10 CVE of the Week 2025
15 – 21 Dec 2025
As we reached the end of 2025 we have looked back to see the most impactful vulnerabilities of the year. Come and go through the TOP 10 CVEs of the year selected by our experts!
A critical CVSS 9.1 flaw in Gladinet’s Triofox file-sharing platform was being actively exploited, allowing attackers to bypass access controls, create admin users, and execute malicious tools by abusing trusted features like antivirus integration. Exploitation began rapidly after disclosure, with attackers deploying remote access software and maintaining persistence, pushing this CVE into CISA’s KEV catalog. Immediate patching to version 16.7.10368.56560 or later is essential to prevent full system compromise.
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480
Another high severity flaw was spotted in March 2025 in VMware solutions. This flaw is a critical VMCI heap-overflow vulnerability in VMware ESXi and Workstation, rated 9.3 CVSS. It stems from a TOCTOU (Time-of-Check Time-of-Use) race condition that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine can exploit this flaw to execute code as the VMX process on the host, potentially compromising the underlying system. VMware ESXi is an enterprise-level server virtualization solution, and Workstation is used for desktop virtualization software. VMware classifies this issue as severe and urges immediate patching to mitigate the risk.
SolarWinds Web Help Desk (WHD) contained a critical unauthenticated remote code execution vulnerability in its AjaxProxy component, resulting from improper validation of user-supplied data. This flaw, a patch bypass of previous CVEs, could allow an attacker to execute code with SYSTEM privileges. The vulnerability, with a CVSS score of 9.8, affects versions up to 12.8.7 and was fixed in Web Help Desk 12.8.7 Hotfix 1 released on September 23. While there is no evidence of exploitation in the wild, users are strongly advised to apply the hotfix to secure their systems.
This is a critical remote code execution vulnerability in Windows Server Update Services (WSUS), which IT administrators use to manage Microsoft updates across networks. Although WSUS is deprecated, it remains supported and received a fix during Microsoft’s October Patch Tuesday. The flaw, categorized as Deserialization of Untrusted Data (CWE‑502) with a CVSS score of 9.8, affects all active Windows Server versions from 2012 through 2025. Exploitation allows an unauthenticated attacker to send crafted events that trigger unsafe object deserialization, leading to full compromise of the update service. The issue was disclosed by researcher(s) known as “MEOW,” and details are available via Microsoft’s Security Response Center and NVD.
https://nvd.nist.gov/vuln/detail/CVE-2025-59287
https://www.tenable.com/cve/CVE-2025-59287
A critical memory corruption flaw in Cisco ASA/Secure Firewall devices is actively exploited in the wild, allowing attackers to bypass authentication and execute high‑privilege code.
Advanced malware like RayInitiator (persistent bootkit) and LINE VIPER (stealthy shellcode loader) is being used to evade detection, manipulate CLI output, and survive reboots.
Devices lacking Secure Boot or Trust Anchor, especially end-of-support ASA 5500‑X units, are highly vulnerable.
Immediate patching and hardware integrity checks are essential to protect your firewall perimeter.
https://thehackernews.com/2025/09/cisco-asa-firewall-zero-day-exploits.html
Cisco Meeting Management, a tool for managing Cisco Meeting Server, is affected by CVE‑2025‑20156 — a critical REST API vulnerability that allows remote authenticated users with low privileges to escalate to administrator rights due to improper authorization checks. This flaw, rated 9.9 on the CVSS scale, impacts versions 3.9 and earlier, with no available workarounds; users should update to version 3.9.1 or migrate to 3.10. Reported by Ben Leonard-Lagarde from Modux and published on January 22, 2025, the vulnerability enables attackers to gain full control over nodes managed by Cisco Meeting Management.
A 13-year-old use-after-free flaw in Redis’s Lua scripting engine lets an authenticated attacker escape the sandbox and achieve remote code execution on the host by crafting malicious Lua scripts. The vulnerability has been tagged CVSS 10.0 — the absolute maximum severity — and affects all Redis versions with Lua scripting enabled. Defaults like no authentication in many deployments make this bug especially dangerous, with proof-of-concept exploits advancing rapidly. Patch immediately to fixed releases and harden network/authentication controls to defend Redis instances.
https://redis.io/blog/security-advisory-cve-2025-49844/
https://www.sysdig.com/blog/cve-2025-49844-redishell
A critical flaw in the UniFi® Access Application leaves the management API completely exposed with no authentication required, letting attackers on the network take full control of door access systems, risking data leakage, tampered access, and even physical intrusions. Once exploited, adversaries could unlock doors, disable controls, and manipulate access data, undermining security in corporate and sensitive environments. Versions 3.3.22 through 3.4.31 are affected by this misconfiguration-based vulnerability, which enables unauthorized API manipulation. Mitigation: Update to version 4.0.21+, audit network setups, and monitor API activities in SIEM/SOAR until patched. A stark reminder that even core security systems can fail without proper authentication and segmentation.
A perfect 10.0 CVSS vulnerability strikes Manager Desktop and Server (≤ 25.11.1.3085), exposing internal networks through a cleverly exploited TOCTOU flaw in DNS validation. By abusing HTTP redirects, attackers can bypass network isolation and access internal services or cloud metadata — with no authentication at all on Desktop, and only basic login on Server. The result: potential leakage of highly sensitive data. Upgrade immediately to version 25.11.1.3086 to shut the door on this critical threat.
https://www.cvedetails.com/cve/CVE-2025-64180/
https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j
React2Shell is making headlines as one of the most critical web vulnerabilities of the year. This pre-authentication remote code execution flaw in Meta’s React Server Components scores a perfect 10.0 CVSS and stems from insecure deserialization (CWE‑502). Multiple versions are impacted, including 19.0.0 through 19.2.0 and packages like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Exploitation requires no user interaction and boasts near-100% reliability, allowing attackers to execute arbitrary code via crafted HTTP requests. With active exploitation confirmed and no workarounds available, Meta and CISA urge immediate upgrades — because when a vulnerability hits this hard, patching isn’t optional, it’s survival.
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.tenable.com/cve/CVE-2025-55182
Undoubtedly, there will be vulnerabilities next year also, and we will report the most important ones week by week, but for now we wish you all a Happy New Year!!!
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.