Advisory Week

Week 13, 2025

National Cyber Awareness System

Ivanti Releases Security Updates for Connect Secure, Policy Secure & ZTA Gateways Vulnerability (CVE-2025-22457)

CISA Adds One Vulnerability to the KEV Catalog

NSA, CISA, FBI, and International Partners Release Cybersecurity Advisory on “Fast Flux,” a National Security Threat

CISA Releases Five Industrial Control Systems Advisories

CISA Releases Two Industrial Control Systems Advisories

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

Mozilla Security Advisories

Security Vulnerabilities fixed in Thunderbird ESR 128.9 mfsa2025-24

Security Vulnerabilities fixed in Thunderbird 137 mfsa2025-23

Security Vulnerabilities fixed in Firefox ESR 128.9 mfsa2025-22

Security Vulnerabilities fixed in Firefox ESR 115.22 mfsa2025-21

Security Vulnerabilities fixed in Firefox 137 mfsa2025-20

Ubuntu Security Notices

Linux kernel (NVIDIA) vulnerabilities: USN-7402-3

Linux kernel vulnerabilities: USN-7415-1 / USN-7408-1 / USN-7406-1 / USN-7402-1

XZ Utils vulnerability: USN-7414-1

Linux kernel (IoT) vulnerabilities: USN-7413-1

Linux kernel (Azure FIPS) vulnerabilities: USN-7406-4

GnuPG vulnerability: USN-7412-1

OpenVPN vulnerability: USN-7411-1

RubySAML vulnerabilities: USN-7409-1

Linux kernel (FIPS) vulnerabilities: USN-7408-2 / USN-7406-2

Linux kernel (Real-time) vulnerabilities: USN-7406-3 / USN-7402-2

Linux kernel (HWE) vulnerabilities: USN-7407-1 / USN-7403-1

InspIRCd vulnerabilities: USN-7405-1

phpseclib vulnerabilities: USN-7404-1

Linux kernel (AWS) vulnerabilities: USN-7401-1 / USN-7392-3

Linux kernel (AWS FIPS) vulnerabilities: USN-7392-4

Linux kernel (Azure) vulnerabilities: USN-7384-2

Vim vulnerability: USN-7261-2

Linux kernel (Raspberry Pi) vulnerabilities: USN-7379-2

nginx vulnerability: USN-7285-2

PHP vulnerabilities: USN-7400-1

RabbitMQ Server vulnerability: USN-7399-1

libtar vulnerabilities: USN-7398-1

AOM vulnerability: USN-7397-1

OVN vulnerability: USN-7396-1

WebKitGTK vulnerabilities: USN-7395-1

MariaDB vulnerability: USN-7376-2

Doorkeeper vulnerabilities: USN-7394-1

Red Hat Security Advisory

Important: opentelemetry-collector security update: RHSA-2025:3593

Important: firefox security update: RHSA-2025:3590 / RHSA-2025:3589 / RHSA-2025:3587 / RHSA-2025:3582 / RHSA-2025:3581 / RHSA-2025:3556

Important: python-jinja2 security update: RHSA-2025:3586 / RHSA-2025:3585 / RHSA-2025:3580 / RHSA-2025:3562 / RHSA-2025:3406

Important: RHODF-4.14-RHEL-9 security update: RHSA-2025:3560

Important: OpenShift Container Platform 4.16.38 bug fix and security update: RHSA-2025:3301

Important: Red Hat Build of Apache Camel 4.8.5 for Spring Boot security update.: RHSA-2025:3543

Moderate: Red Hat JBoss Web Server 5.8.3 release and security update: RHSA-2025:3455 / RHSA-2025:3454

Important: RHODF-4.15-RHEL-9 security update: RHSA-2025:3542

Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.62 security update: RHSA-2025:3453

Important: Logging for Red Hat OpenShift - 5.8.19: RHSA-2025:3448

Important: Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 update is now available (RHBQ 3.15.4.GA): RHSA-2025:3541

Important: Red Hat Integration Camel K 1.10.10 release and security update.: RHSA-2025:3540

Moderate: expat security update: RHSA-2025:3531

Moderate: libgcrypt security update: RHSA-2025:3530

Important: OpenShift Container Platform 4.17.23 bug fix and security update: RHSA-2025:3297

Important: Red Hat build of Quarkus 3.15.4 release and security update: RHSA-2025:3376

Important: Red Hat build of Cryostat security update: RHSA-2025:3503

Important: RHODF-4.16-RHEL-9 security update: RHSA-2025:3502

Important: RHODF-4.17-RHEL-9 security update: RHSA-2025:3500

Important: Red Hat multicluster global hub 1.2.2 bug fixes and container update: RHSA-2025:3498

Important: Satellite 6.14.4.5 Async Update: RHSA-2025:3492

Important: Satellite 6.15.5.2 Async Update: RHSA-2025:3491

Important: Satellite 6.16.4 Async Update: RHSA-2025:3490

Important: Red Hat JBoss Enterprise Application Platform 7.4 .21 security update: RHSA-2025:3467

Important: ACS 4.6 enhancement and security update: RHSA-2025:3439

Important: ACS 4.7 enhancement and security update: RHSA-2025:3438

Important: ACS 4.5 enhancement and security update: RHSA-2025:3437

Important: freetype security update: RHSA-2025:3421 / RHSA-2025:3386 / RHSA-2025:3385 / RHSA-2025:3384 / RHSA-2025:3382

Important: grub2 security update: RHSA-2025:3396

Important: libxslt security update: RHSA-2025:3389

Node.js Security Advisories

Node.js Test CI Security Incident

Cisco Security Advisory

Cisco Enterprise Chat and Email Denial of Service Vulnerability

Cisco Meraki MX and Z Series AnyConnect VPN Denial of Service Vulnerability

Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Stored Cross-Site Scripting Vulnerabilities

Microsoft Security

Microsoft April 2025 Security Update Guide

Chromium: CVE-2025-3066 Use after free in Navigations

CVE-2025-29796 Microsoft Edge for iOS Spoofing Vulnerability

CVE-2025-29815 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Chromium: CVE-2025-3073 Inappropriate implementation in Autofill

Chromium: CVE-2025-3068 Inappropriate implementation in Intents

Chromium: CVE-2025-3067 Inappropriate implementation in Custom Tabs

Chromium: CVE-2025-3070 Insufficient validation of untrusted input in Extensions

Chromium: CVE-2025-3069 Inappropriate implementation in Extensions

Chromium: CVE-2025-3074 Inappropriate implementation in Downloads

Chromium: CVE-2025-3072 Inappropriate implementation in Custom Tabs

Chromium: CVE-2025-3071 Inappropriate implementation in Navigations

CVE-2025-25001 Microsoft Edge for iOS Spoofing Vulnerability

CVE-2025-25000 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2025-26683 Azure Playwright Elevation of Privilege Vulnerability

Jenkins Security Advisories

Jenkins Security Advisory 2025-04-02

Amazon AWS Security Advisories

Issue with AWS SAM CLI (CVE-2025-3047, CVE-2025-3048)

Github Security Advisories

[GHSA-2frx-2596-x5r6] gitoxide does not detect SHA-1 collision attacks

[GHSA-33xw-247w-6hmc] BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization

[GHSA-wg47-6jq2-q2hh] MinIO performs incomplete signature validation for unsigned-trailer uploads

[GHSA-wc53-4255-gw3f] The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server

[GHSA-xcj6-pq6g-qj4x] Vite allows server.fs.deny to be bypassed with .svg or relative paths

[GHSA-428q-q3vv-3fq3] GraphQL grant on a property might be cached with different objects

[GHSA-cq88-842x-2jhp] Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration

[GHSA-cg3c-245w-728m] GraphQL query operations security can be bypassed

[GHSA-7rmp-3g9f-cvq8] generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework

[GHSA-cj5w-8mjf-r5f8] jupyterlab-git has a command injection vulnerability in "Open Git Repository in Terminal"

[GHSA-rfw5-cqjj-7v9r] API Platform Core can leak exceptions message that may contain sensitive information

[GHSA-c9pr-q8gx-3mgp] Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`

[GHSA-26wh-cc3r-w6pj] canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output

[GHSA-223j-4rm8-mrmf] Next.js may leak x-middleware-subrequest-id to external hosts

[GHSA-mqqg-xjhj-wfgw] Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

[GHSA-3qjf-qh38-x73v] Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

[GHSA-m5qc-5hw7-8vg7] image-size Denial of Service via Infinite Loop during Image Processing

[GHSA-c2c3-pqw5-5p7c] Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times

[GHSA-4q56-crqp-v477] Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

[GHSA-w34w-fvp3-68xm] Yeswiki Path Traversal vulnerability allows arbitrary read of files

[GHSA-q8jq-4rm5-4hm5] @alizeait/unflatto Prototype Pollution

[GHSA-7c5v-895v-w4q5] jooby-pac4j: deserialization of untrusted data

[GHSA-8p83-cpfg-fj3g] Rancher: Restricted Administrator can change Administrator's passwords

[GHSA-qq4x-c6h6-rfxh] aws-cdk-lib has Insertion of Sensitive Information into Log File vulnerability when using Cognito UserPoolClient Construct

[GHSA-pp64-wj43-xqcr] AWS SAM CLI Path Traversal allows file copy to local cache

[GHSA-px37-jpqx-97q9] AWS SAM CLI Path Traversal allows file copy to build container

[GHSA-gr7w-hmch-25g7] gifplayer XSS vulnerability

[GHSA-hqqc-jr88-p6x2] Netty QUIC hash collision DoS attack

[GHSA-4r4m-qw57-chr8] Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

[GHSA-fcfq-m8p6-gw56] Mobile Security Framework (MobSF) has a SSRF Vulnerability fix bypass on assetlinks_check with DNS Rebinding

[GHSA-2j42-h78h-q4fg] Beego allows Reflected/Stored XSS in Beego's RenderForm() Function Due to Unescaped User Input

[GHSA-hx7h-9vf7-5xhg] Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

CISA Known Exploted Vulnerabilities

Cisco Smart Licensing Utility Static Credential Vulnerability CVE-2024-20439

Apache Tomcat Path Equivalence Vulnerability CVE-2025-24813

Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability CVE-2025-22457

The known exploited vulnerabilities list contains vulnerabilities that are known to be actively exploited. They may not be new or recently discovered. Vulnerabilities listed here were added to this list in the past week.

Switch to Daily Mode

We're thrilled to announce the launch of AdvisoryDaily, a once a day version of this newsletter.

Get AdvisoryDaily