Blog
Flashpoint Weekly Vulnerability Insights and Prioritization Report
Week of May 17 – May 23, 2025
Anticipate, contextualize, and prioritize vulnerabilities to effectively address threats to your organization.
Table Of Contents
Your Guide to
Proactive Vulnerability
Management
Flashpoint’s VulnDB documents over 400,000 vulnerabilities and has over 4,500 entries in Flashpoint’s KEV database, making it a critical resource as vulnerability exploitation rises. However, if your organization is relying solely on CVE data, you may be missing critical vulnerability metadata and insights that hinder timely remediation. That’s why we created this weekly series—where we surface and analyze the most high priority vulnerabilities security teams need to know about.
Key Vulnerabilities:
Week of May 17 – May 23, 2025
Foundational Prioritization
Of the vulnerabilities Flashpoint published this week, there are 129 that you can take immediate action on. They each have a solution, a public exploit exists, and are remotely exploitable. As such, these vulnerabilities are a great place to begin your prioritization efforts.
Diving Deeper – Urgent Vulnerabilities
Of the vulnerabilities Flashpoint published last week, five are highlighted in this week’s Vulnerability Insights and Prioritization Report because they all:
- Are in widely used products and are potentially enterprise-affecting
- Are exploited in the wild or have exploits available
- Allow full system compromise
- Can be exploited via the network alone or in combination with other vulnerabilities
- Have a solution to take action on
In addition, all of these vulnerabilities are easily discoverable and therefore should be investigated and fixed immediately.
To proactively address these vulnerabilities and ensure comprehensive coverage beyond publicly available sources on an ongoing basis, organizations can leverage Flashpoint Vulnerability Intelligence. Flashpoint provides comprehensive coverage encompassing IT, OT, IoT, CoTs, and open-source libraries and dependencies. It catalogs over 100,000 vulnerabilities that are not included in the NVD or lack a CVE ID, ensuring thorough coverage beyond publicly available sources. The vulnerabilities that are not covered by the NVD do not yet have CVE ID assigned and will be noted with a VulnDB ID.
| CVE ID | Title | CVSS Scores (v2, v3, v4) | Exploit Status | Exploit Consequence | Ransomware Likelihood Score | Social Risk Score | Solution Availability |
| VulnDB ID: 405228 | Invision Community themeeditor::customCss() Function content Parameter Template Injection | 10.0 9.8 9.3 | Exploited in the Wild | Remote Code Execution | High | Low | Yes |
| CVE-2025-47277 | vLLM distributed/utils.py StatelessProcessGroup.create() Function Insecure TCPStore Interface | 10.0 9.8 9.3 | Public | Remote Code Execution | High | Low | Yes |
| CVE-2025-34027 | Versa Concerto Traefik Container AuthenticationFilter Class URL Decoding | 10.0 9.8 9.3 | PoC Public | Remote Authentication Bypass | High | Low | No |
| CVE-2025-47646 | PSW Front-end Login & Registration Plugin for WordPress public/class-prositegeneralfeatures-public.php Multiple Parameter Improper Authentication | 10.0 9.8 9.3 | Public | Remote Admin Account Creation | High | Low | Yes |
| VulnDB ID: 405269 | Microsoft Windows Server Delegated Managed Service Accounts (dMSA) Feature | 9.0 8.8 8.7 | Private | Remote Privilege Escalation | High | N/A | No |
NOTES: The severity of a given vulnerability score can change whenever new information becomes available. Flashpoint maintains its vulnerability database with the most recent and relevant information available. Login to view more vulnerability metadata and for the most up-to-date information.
CVSS scores: Our analysts calculate, and if needed, adjust NVD’s original CVSS scores based on new information being available.
Social Risk Score: Flashpoint estimates how much attention a vulnerability receives on social media. Increased mentions and discussions elevate the Social Risk Score, indicating a higher likelihood of exploitation. The score considers factors like post volume and authors, and decreases as the vulnerability’s relevance diminishes.
Ransomware Likelihood: This score is a rating that estimates the similarity between a vulnerability and those known to be used in ransomware attacks. As we learn more information about a vulnerability (e.g. exploitation method, technology affected) and uncover additional vulnerabilities used in ransomware attacks, this rating can change.
Flashpoint Ignite lays all of these components out. Below is an example of what this vulnerability record for VulnDB ID: 405228 looks like.
This record provides additional metadata like affected product versions, MITRE ATT&CK mapping, analyst notes, solution description, classifications, vulnerability timeline and exposure metrics, exploit references and more.
Analyst Comments on the Notable Vulnerabilities
Below, Flashpoint analysts describe the five vulnerabilities highlighted above as vulnerabilities that should be of focus for remediation if your organization is exposed.
VulnDB ID: 405228
Invision Community contains a flaw in the themeeditor::customCss() function in applications/core/modules/front/system/themeeditor.php. This flaw is triggered when input passed via the “content” parameter is not properly sanitized before being passed to the template engine via the Theme::makeProcessFunction() function. This may allow a remote attacker to inject and execute arbitrary code. As of May 19, this has been reported as being exploited in the wild.
CVE-2025-47277
vLLM contains a flaw in the StatelessProcessGroup.create() function in distributed/utils.py that is triggered as the TCPStore interface is set up to listen on all interfaces, regardless of the IP address provided via the –kv-ip option. This allows a remote attacker to send specially crafted serialized data to the “PyNcclPipe” service and execute arbitrary code. Flashpoint analysts note that this issue only affects environments using the “PyNcclPipe” KV (key-value) cache transfer integration with the V0 engine. Other configurations are not affected.
CVE-2025-34027
Versa Concerto contains a flaw in the Traefik container related to the AuthenticationFilter class as URLs are URL-decoded before being compared against excluded endpoints. This may allow a remote attacker to add “;%2fv1%2fping” to a URL to bypass authentication. Flashpoint analysts note that the vendor announced that patches will be available on April 7, but no further details have been provided.
Flashpoint analysts assess that while this is reported as a TOCTOU race condition, the information suggests that the controllers passed a URL that has not been URL-decoded. Exploiting this issue requires passing a URL containing something like a semicolon without the requirement to win a race condition. However, further exploitation of this issue uses a race condition during package uploads, where files are deleted shortly after being written to disk. Overwriting ld.so.preload with a path pointing to /tmp/hook may allow the execution of arbitrary code if the race condition is won.
CVE-2025-47646
The PSW Front-end Login & Registration Plugin for WordPress contains a flaw in the public/class-prositegeneralfeatures-public.php script. This flaw is triggered when authentication mechanisms are not properly implemented when leveraging the “first_name,” “last_name,” “new_user_name,” and “new_user_email” parameters. A remote attacker may be able to create an admin account.
VulnDB ID: 405269
Microsoft Windows Server contains a flaw related to the delegated Managed Service Account (dMSA) feature. The issue is triggered as the SIDs of the superseded service account and its associated groups are included in the Privilege Attribute Certificate (PAC) that is embedded in the ticket when a dMSA authenticates. By creating a new dMSA and setting certain attributes, an authenticated, remote attacker with “CreateChild” permissions on an organizational unit (OU) can compromise arbitrary users in the domain and gain similar privileges to the Replicating Directory Changes privilege used to perform DCSync attacks.
Flashpoint analysts assess that this issue affects Windows domains with at least one Windows Server 2025 domain controller (DC). Exploitation requires “CreateChild” permissions on an organizational unit (OU). The attacker can obtain full permissions of an account by setting the “msDS-ManagedAccountPrecededByLink” attribute to the target account’s DN and the “msDS-DelegatedMSAState” attribute to “2” (migration completed).
Analysts note that although there are no known upgrades or patches to correct this vulnerability, it is possible to temporarily mitigate the flaw by implementing the following workaround: limit the ability to create delegated Managed Service Accounts. The vendor has confirmed and acknowledged the issue. However, a fix is planned for the future because it does not meet the threshold for immediate servicing.
Previously Highlighted Vulnerabilities
| CVE/VulnDB ID | Flashpoint Published Date |
| CVE-2025-21218 | Week of January 15, 2025 |
| CVE-2024-57811 | Week of January 15, 2025 |
| CVE-2024-55591 | Week of January 15, 2025 |
| CVE-2025-23006 | Week of January 22, 2025 |
| CVE-2025-20156 | Week of January 22, 2025 |
| CVE-2024-50664 | Week of January 22, 2025 |
| CVE-2025-24085 | Week of January 29, 2025 |
| CVE-2024-40890 | Week of January 29, 2025 |
| CVE-2024-40891 | Week of January 29, 2025 |
| VulnDB ID: 389414 | Week of January 29, 2025 |
| CVE-2025-25181 | Week of February 5, 2025 |
| CVE-2024-40890 | Week of February 5, 2025 |
| CVE-2024-40891 | Week of February 5, 2025 |
| CVE-2024-8266 | Week of February 12, 2025 |
| CVE-2025-0108 | Week of February 12, 2025 |
| CVE-2025-24472 | Week of February 12, 2025 |
| CVE-2025-21355 | Week of February 24, 2025 |
| CVE-2025-26613 | Week of February 24, 2025 |
| CVE-2024-13789 | Week of February 24, 2025 |
| CVE-2025-1539 | Week of February 24, 2025 |
| CVE-2025-27364 | Week of March 3, 2025 |
| CVE-2025-27140 | Week of March 3, 2025 |
| CVE-2025-27135 | Week of March 3, 2025 |
| CVE-2024-8420 | Week of March 3, 2025 |
| CVE-2024-56196 | Week of March 10, 2025 |
| CVE-2025-27554 | Week of March 10, 2025 |
| CVE-2025-22224 | Week of March 10, 2025 |
| CVE-2025-1393 | Week of March 10, 2025 |
| CVE-2025-24201 | Week of March 17, 2025 |
| CVE-2025-27363 | Week of March 17, 2025 |
| CVE-2025-2000 | Week of March 17, 2025 |
| CVE-2025-27636 CVE-2025-29891 | Week of March 17, 2025 |
| CVE-2025-1496 | Week of March 24, 2025 |
| CVE-2025-27781 | Week of March 24, 2025 |
| CVE-2025-29913 | Week of March 24, 2025 |
| CVE-2025-2746 | Week of March 24, 2025 |
| CVE-2025-29927 | Week of March 24, 2025 |
| CVE-2025-1974 CVE-2025-2787 | Week of March 31, 2025 |
| CVE-2025-30259 | Week of March 31, 2025 |
| CVE-2025-2783 | Week of March 31, 2025 |
| CVE-2025-30216 | Week of March 31, 2025 |
| CVE-2025-22457 | Week of April 2, 2025 |
| CVE-2025-2071 | Week of April 2, 2025 |
| CVE-2025-30356 | Week of April 2, 2025 |
| CVE-2025-3015 | Week of April 2, 2025 |
| CVE-2025-31129 | Week of April 2, 2025 |
| CVE-2025-3248 | Week of April 7, 2025 |
| CVE-2025-27797 | Week of April 7, 2025 |
| CVE-2025-27690 | Week of April 7, 2025 |
| CVE-2025-32375 | Week of April 7, 2025 |
| VulnDB ID: 398725 | Week of April 7, 2025 |
| CVE-2025-32433 | Week of April 12, 2025 |
| CVE-2025-1980 | Week of April 12, 2025 |
| CVE-2025-32068 | Week of April 12, 2025 |
| CVE-2025-31201 | Week of April 12, 2025 |
| CVE-2025-3495 | Week of April 12, 2025 |
| CVE-2025-31324 | Week of April 17, 2025 |
| CVE-2025-42599 | Week of April 17, 2025 |
| CVE-2025-32445 | Week of April 17, 2025 |
| VulnDB ID: 400516 | Week of April 17, 2025 |
| CVE-2025-22372 | Week of April 17, 2025 |
| CVE-2025-32432 | Week of April 29, 2025 |
| CVE-2025-24522 | Week of April 29, 2025 |
| CVE-2025-46348 | Week of April 29, 2025 |
| CVE-2025-43858 | Week of April 29, 2025 |
| CVE-2025-32444 | Week of April 29, 2025 |
| CVE-2025-20188 | Week of May 3 |
| CVE-2025-29972 | Week of May 3 |
| CVE-2025-32819 | Week of May 3 |
| CVE-2025-27007 | Week of May 3 |
| VulnDB ID: 402907 | Week of May 3 |
Transform Vulnerability Management with Flashpoint
Fill out the form to the left to subscribe to our newsletter, which features Flashpoint’s leading data and intelligence. Request a demo today to see how Flashpoint can transform your vulnerability management and exposure identification program.