Summary: I analyzed the Vulnerability Summary for the Week of July 21, 2025 published by CISA. This bulletin lists 176 new vulnerabilities discovered that week.
In this article, I present all these vulnerabilities in a factual and structured manner, organized by affected product or vendor. For each product, you’ll find the CVE identifier, CVSS severity score, vulnerability type (SQL injection, buffer overflow, privilege escalation, etc.), and essential factual details from the CISA report.
I rely exclusively on data from the CISA report and include no outside information. This content is purely informational and analytical, with no speculation or recommendation. Original sources (CISA) are cited after each vulnerability.
Adobe
Adobe Experience Manager (AEM) – Three stored Cross-Site Scripting (XSS) vulnerabilities identified in AEM versions 6.5.22 and earlier (CVE-2025-46993, CVE-2025-46996, CVE-2025-47061, CVSS 5.4 each). A low-privilege attacker can inject malicious scripts into form fields, leading to JavaScript code execution in victims’ browsers.
Amazon Web Services (AWS)
AWS Client VPN (Windows) – Local arbitrary code execution during installation (CVE-2025-8069, CVSS 7.8). The installer references an insecure path (C:\usr\local…openssl\ssl) for OpenSSL configuration. A local non-admin attacker could place malicious code in this config file, executed with SYSTEM privileges if an admin installs the VPN client.
Arm / Artica / Apwide
Arm Development Studio – Insecure DLL loading vulnerability in versions prior to 2025. Allows local attackers to perform DLL hijacking and execute arbitrary code with the launching user’s privileges (CVE-2025-7427).
Artica ST – Pandora FMS – SQL injection and arbitrary file upload. In Pandora FMS ≤5.0 SP2, the mobile/index.php endpoint does not filter the loginhash_data parameter, allowing unauthenticated SQL injection to extract admin credentials. An authenticated attacker can upload a webshell via the File Manager (CVE-2014-125115).
Apwide Golive (Jira plugin) – Server-Side Request Forgery (SSRF) via webhook test feature. Plugin ≤10.2.0 allows arbitrary request execution, potentially exposing the server to unauthorized access (CVE-2025-45939).
Atlassian (Sourcetree)
Atlassian Sourcetree for Mac – Local arbitrary code execution introduced in version 4.2.8 (CVE-2025-22165, CVSS 5.9). Allows a local authenticated attacker to execute arbitrary code with user interaction.
Bayraktar Solar Energies
ScadaWatt Otopilot – SQL Injection in versions before 05/27/2025 (CVE-2025-4822, CVSS 9.8). Unfiltered query parameters allow execution of arbitrary SQL commands.
Bloomberg (Comdb2 DBMS)
Bloomberg Comdb2 – Multiple Denial-of-Service vulnerabilities discovered in Comdb2 v8.1.
Canonical
MAAS (Metal as a Service) – RPC Authentication Bypass. Due to inadequate validations, malicious clients can bypass auth controls and execute RPC commands on MAAS Region servers (CVE-2024-6107, CVSS 9.6).
Cisco
(No new Cisco vulnerabilities reported in this week’s CISA bulletin.)
Comodo
Comodo Dragon (browser) – Multiple unspecified issues found in Comodo Dragon version ≤134.0.6998.179.
CommScope (Ruckus Unleashed/ZoneDirector)
Ruckus Unleashed & ZoneDirector – Multiple critical flaws (CVSS not assigned yet).
Commvault
Commvault (backup infrastructure) – Multiple vulnerabilities patched in Commvault suite.
D-Link
D-Link DIR routers – Several critical vulnerabilities in end-of-life models.
Dell
Dell AppSync – Two vulnerabilities patched in AppSync 4.6.0.0.
Dell PowerScale OneFS – Weak crypto algorithm (CVE-2025-30477, CVSS 4.4). Versions <9.11.0.0 use obsolete algorithms that high-privileged attackers could exploit to disclose sensitive information.
Extreme Networks – Stored Cross-Site Scripting (CVE-2025-6235), unauthenticated JavaScript injection via HTML attributes on login page.
FreeScout – Insecure deserialization (RCE) via improperly encrypted attachments (CVE-2025-54366).
GitLab – Multiple patched issues in CE/EE.
Google Chrome (V8) – Type confusion vulnerabilities (CVE-2025-8010, CVE-2025-8011), potentially allowing remote code execution.
Imprivata – Login screen bypass via keyboard shortcuts (CVE-2024-12310).
INVT HMI Tool – Four critical vulnerabilities in industrial touchscreen software.
Lantronix – XXE injection via config file import (CVE-2025-7766).
LibreNMS – Remote File Inclusion via unvalidated parameter (CVE-2025-54138).
Linux PAM – Privilege escalation via polkit bypass (CVE-2025-6018).
iputils (ping) – Denial of Service from malformed ICMP (CVE-2025-48964).
Bun – OS command injection via shell API (CVE-2025-8022).
private-ip (npm) – SSRF via multicast IP handling (CVE-2025-8020).
curve25519-dalek (Rust) – Timing attack due to optimization removal (CVE-2024-58262).
Medtronic MyCareLink – Three local vulnerabilities.
Network Thermostat – Web interface bypass and password reset without authentication (CVE-2025-6260).
NI LabVIEW – Out-of-Bounds Read (2 vulnerabilities).
OpenAI Codex CLI – Unapproved command execution (CVE-2025-54558).
Open Source MANO – Two privilege escalation flaws (CVE-2024-48729, CVE-2024-48730).
ETQ Reliance – Multiple vulnerabilities including auth bypass, SQLi, XXE (CVE-2025-34140 to CVE-2025-34143).
dag-factory GitHub Action – Code execution via malicious pull request (CVE-2025-54415).
CapillaryScope – Sensitive data stored in cleartext in Windows registry (CVE-2025-40680).
Chavara Matrimony – OTP auth bypass (CVE-2025-45777).
Dicoogle PACS – Path traversal allowing file download (CVE-2018-25113).
dj-extensions (Joomla) – SQLi and XSS in DJ-Flyer and DJ-Reviews (CVE-2025-50127, CVE-2025-54295).
Drupal modules – Multiple unspecified vulnerabilities.
Eveo URVE Web Manager – SSRF and OS command injection (CVE-2025-36845, CVE-2025-36846).
Frontend File Manager (WordPress) – Arbitrary post deletion (CVE-2023-7306).
GeoDirectory (WordPress) – Time-based SQLi (CVE-2024-13507).
GS Orion Login (WordPress) – Predictable OTP / no rate limiting (CVE-2025-7692).
Like & Share My Site (WordPress) – Stored CSRF and XSS (CVE-2025-7685).
Orion WP-Members – Privilege escalation via XSS in shortcodes (CVE-2025-7495).
PowerDNS Recursor – DNS cache poisoning via ECS (CVE-2025-30192).
Red Hat Enterprise Linux 10 – Two vulnerabilities in bundled libraries.
Samsung MagicINFO 9 Server – 11 critical vulnerabilities in display management server.
Sophos Firewall (UTM) – Multiple critical vulnerabilities.
Synology SRM – Two XSS vulnerabilities (pre-1.3.1-9346-11).
Tenda AC series routers – Multiple critical vulnerabilities.
Turpak / Turtek – Auth bypass and privilege escalation (CVE-2025-4040, CVE-2025-5681, CVE-2025-1469).
Journey (iOS) – Sensitive data stored unencrypted; insufficient local brute-force protection (CVE-2025-41458).
Bitnami Helm Charts (VMware/Appsmith) – Local SSRF leading to secrets disclosure (CVE-2025-41240).
WordPress Plugins (selection):
- FoxyPress – Arbitrary file upload (CVE-2012-10020).
- WP Database Backup – OS command injection (CVE-2019-25224).
- User Registration – Stored XSS via shortcode (CVE-2025-6831).
- WPBakery Page Builder – Multiple stored XSS vectors (CVE-2025-4968).
- Pixel Gallery – Stored XSS via widgets (CVE-2025-7644).
- WP Bookit – Arbitrary file upload (CVE-2025-7852).
- AI Engine – Sensitive file access (CVE-2025-7780).
Source: CISA – Vulnerability Summary for the Week of July 21, 2025 (Bulletin SB25-209, published July 28, 2025).
Enjoy!
