Blog
Flashpoint Weekly Vulnerability Insights and Prioritization Report
Week of April 26 – May 2, 2025
Anticipate, contextualize, and prioritize vulnerabilities to effectively address threats to your organization.
Table Of Contents
Your Guide to
Proactive Vulnerability
Management
Flashpoint’s VulnDB documents over 400,000 vulnerabilities and has over 4,500 entries in Flashpoint’s KEV database, making it a critical resource as vulnerability exploitation rises. However, if your organization is relying solely on CVE data, you may be missing critical vulnerability metadata and insights that hinder timely remediation. That’s why we created this weekly series—where we surface and analyze the most high priority vulnerabilities security teams need to know about.
Key Vulnerabilities:
Week of April 26 – May 2, 2025
Foundational Prioritization
Of the vulnerabilities Flashpoint published this week, there are 138 that you can take immediate action on. They each have a solution, a public exploit exists, and are remotely exploitable. As such, these vulnerabilities are a great place to begin your prioritization efforts.
Diving Deeper – Urgent Vulnerabilities
Of the vulnerabilities Flashpoint published last week, five are highlighted in this week’s Vulnerability Insights and Prioritization Report because they all:
- Are in widely used products and are potentially enterprise-affecting
- Are exploited in the wild or have exploits available
- Allow full system compromise
- Can be exploited via the network alone or in combination with other vulnerabilities
- Have a solution to take action on
In addition, all of these vulnerabilities are easily discoverable and therefore should be investigated and fixed immediately.
To proactively address these vulnerabilities and ensure comprehensive coverage beyond publicly available sources on an ongoing basis, organizations can leverage Flashpoint Vulnerability Intelligence. Flashpoint provides comprehensive coverage encompassing IT, OT, IoT, CoTs, and open-source libraries and dependencies. It catalogs over 100,000 vulnerabilities that are not included in the NVD or lack a CVE ID, ensuring thorough coverage beyond publicly available sources. The vulnerabilities that are not covered by the NVD do not yet have CVE ID assigned and will be noted with a VulnDB ID.
| CVE ID | Title | CVSS Scores (v2, v3, v4) | Exploit Status | Exploit Consequence | Ransomware Likelihood Score | Social Risk Score | Solution Availability |
| CVE-2025-32432 | Craft CMS controllers/AssetsController.php AssetsController::actionGenerateTransform() Function Handle Parameter Remote Code Execution | 10.0 10.0 9.3 | Exploited in the Wild | Remote Code Execution | High | High | Yes |
| CVE-2025-24522 | Revolution Pi Node-RED Server Missing Authentication Remote Command Execution | 10.0 10.0 10.0 | Private | Remote Command Execution | High | Low | Yes |
| CVE-2025-46348 | YesWiki Missing Authentication Site Backup Request Remote Archive Creation | 10.0 10.0 10.0 | Public | Sensitive Information Disclosure | High | Low | Yes |
| CVE-2025-43858 | YoutubeDLSharp YoutubeDLSharp/YoutubeDLProcess.cs RunAsync() Function URL Handling Arbitrary Command Injection | 10.0 10.0 9.0 | Public | Arbitrary OS Command Execution | High | Low | Yes |
| CVE-2025-32444 | vLLM distributed/kv_transfer/kv_pipe/mooncake_pipe[.]py wait_for_ack() Function Packet Handling Insecure Deserialization Remote Code Execution | 10.0 10.0 10.0 | Private | Remote Code Execution | High | Low | Yes |
NOTES: The severity of a given vulnerability score can change whenever new information becomes available. Flashpoint maintains its vulnerability database with the most recent and relevant information available. Login to view more vulnerability metadata and for the most up-to-date information.
CVSS scores: Our analysts calculate, and if needed, adjust NVD’s original CVSS scores based on new information being available.
Social Risk Score: Flashpoint estimates how much attention a vulnerability receives on social media. Increased mentions and discussions elevate the Social Risk Score, indicating a higher likelihood of exploitation. The score considers factors like post volume and authors, and decreases as the vulnerability’s relevance diminishes.
Ransomware Likelihood: This score is a rating that estimates the similarity between a vulnerability and those known to be used in ransomware attacks. As we learn more information about a vulnerability (e.g. exploitation method, technology affected) and uncover additional vulnerabilities used in ransomware attacks, this rating can change.
Flashpoint Ignite lays all of these components out. Below is an example of what this vulnerability record for CVE-2025-32432 looks like.
This record provides additional metadata like affected product versions, MITRE ATT&CK mapping, analyst notes, solution description, classifications, vulnerability timeline and exposure metrics, exploit references and more.
Analyst Comments on the Notable Vulnerabilities
Below, Flashpoint analysts describe the five vulnerabilities highlighted above as vulnerabilities that should be of focus for remediation if your organization is exposed.
CVE-2025-32432
Craft CMS contains a flaw in the AssetsController::actionGenerateTransform() function in controllers/AssetsController.php triggered when input passed via the “handle” parameter is not properly validated. With a specially crafted request to /index.php?p=actions/assets/generate-transform, a remote attacker can execute arbitrary code. As of February 14, 2025, this has been reported as being exploited in the wild. This issue is exploited in combination with a vulnerability in the Yii Framework (see VulnDB 361461 / CVE-2024-58136).
CVE-2025-24522
Revolution Pi contains a flaw in the Node-RED server that is triggered as authentication mechanisms are not properly implemented. This may allow a remote attacker to execute arbitrary commands.
CVE-2025-46348
YesWiki contains a flaw triggered by the authentication mechanisms not being properly implemented for requests to commence site backups. This may allow a remote attacker to create and download archives, filling up the file system with archives or disclosing sensitive information.
CVE-2025-43858
YoutubeDLSharp contains a flaw in the RunAsync() Function in YoutubeDLSharp/YoutubeDLProcess.cs. The issue is triggered as the input is not properly validated. This may allow a context-dependent attacker to execute arbitrary OS commands. This is a library/framework vulnerability. This code is used in various software, and the issue may manifest in many ways. Depending on the implementation, it will vary if this vulnerability requires local access or if it may be exploited remotely. This vulnerability exclusively impacts Windows OS.
CVE-2025-32444
vLLM contains a flaw in the wait_for_ack() function in distributed/kv_transfer/kv_pipe/mooncake_pipe[.]py. This flaw is triggered when packets are insecurely deserialized using pickle.loads(). A remote attacker may be able to execute arbitrary code. This issue affects vLLM instances using a mooncake integration. This is a library/framework vulnerability. This code is used in various software, and the issue may manifest in many ways.
Previously Highlighted Vulnerabilities
| CVE/VulnDB ID | Name/Title | Flashpoint Published Date |
| CVE-2025-21218 | Microsoft Windows Kerberos Unspecified Application Handling Resource Consumption Remote DoS | Week of January 15, 2025 |
| CVE-2024-57811 | Eaton XC-303 Hardcoded Credentials | Week of January 15, 2025 |
| CVE-2024-55591 | Fortinet FortiOS (FortiGate) / FortiProxy Node.js WebSocket Module Improper Authentication Remote Authentication Bypass | Week of January 15, 2025 |
| CVE-2025-23006 | SonicWall SMA1000 Unspecified Insecure Deserialization | Week of January 22, 2025 |
| CVE-2025-20156 | Cisco Meeting Management (CMM) Unspecified REST API Endpoint Improper Authorization API Request Handling | Week of January 22, 2025 |
| CVE-2024-50664 | GPAC isomedia/sample_descs.c gf_isom_new_mpha_description() Function MPEGH Audio Configuration Handling Heap Buffer Overflow | Week of January 22, 2025 |
| CVE-2025-24085 | Apple Multiple Products CoreMedia Unspecified Use-After-Free | Week of January 29, 2025 |
| CVE-2024-40890 | Zyxel Multiple Products HTTP Unspecified Remote Command Execution | Week of January 29, 2025 |
| CVE-2024-40891 | Zyxel Multiple Products Telnet Unspecified Remote Command Execution | Week of January 29, 2025 |
| VulnDB ID: 389414 | uniapi Package for Python __init__.py Malicious Code Remote Code Execution | Week of January 29, 2025 |
| CVE-2025-25181 | Advantive VeraCore v5fmsnet/common/timeoutWarning.asp PmSess1 Parameter SQL Injection | Week of February 5, 2025 |
| CVE-2024-40890 | WhoDB /db.go DB_FILE Parameter Path Traversal Remote File Manipulation | Week of February 5, 2025 |
| CVE-2024-40891 | deep-diver LLM-As-Chatbot global_vars.py load_model() Function File Upload | Week of February 5, 2025 |
| CVE-2024-8266 | GitLab Improper Privilege Handling Remote Cross-user Pipeline Triggering | Week of February 12, 2025 |
| CVE-2025-0108 | Palo Alto PAN-OS Management Web Interface Improper URL Normalization | Week of February 12, 2025 |
| CVE-2025-24472 | Fortinet FortiOS (FortiGate) / FortiProxy CSF Proxy Request Handling | Week of February 12, 2025 |
| CVE-2025-21355 | Microsoft Bing Unspecified Missing Authentication Remote Code Execution | Week of February 24, 2025 |
| CVE-2025-26613 | WeGIA gerenciar_backup.php file Parameter Remote OS Command Injection | Week of February 24, 2025 |
| CVE-2024-13789 | Ravpage Plugin for WordPress ravpage.php paramsv2 Parameter Insecure Deserialization PHP Object Injection Remote Code Execution | Week of February 24, 2025 |
| CVE-2025-1539 | D-Link DAP-1320 /storagein.pd-XXXXXX replace_special_char() Function URI Remote | Week of February 24, 2025 |
| CVE-2025-27364 | MITRE Caldera Manx / Sandcat Plugins HTTP Header Linker Argument Injection | Week of March 3, 2025 |
| CVE-2025-27140 | WeGIA /html/configuracao/importar_dump.php filename Parameter Remote OS Command Injection | Week of March 3, 2025 |
| CVE-2025-27135 | RAGFlow ExeSQL Class Unspecified SQL Injection | Week of March 3, 2025 |
| CVE-2024-8420 | DHVC Form Plugin for WordPress Registration Role Field Manipulation | Week of March 3, 2025 |
| CVE-2024-56196 | Apache Traffic Server proxy/http/remap/UrlRewrite.cc Older Version Incompatible ACLs Unspecified Remote Issue | Week of March 10, 2025 |
| CVE-2025-27554 | ToDesktop Deployment Handling Firebase Admin Key Disclosure | Week of March 10, 2025 |
| CVE-2025-22224 | VMware ESXi / Workstation VMCI Unspecified Time-of-Check Time-of-Use (TOCTOU) Race Condition Guest-to-Host Heap Buffer Overflow | Week of March 10, 2025 |
| CVE-2025-1393 | Weidmueller PROCON-WIN Unspecified Hard-Coded Credentials | Week of March 10, 2025 |
| CVE-2025-24201 | Apple WebKit WebGL Context Handling Unspecified Out-of-Bounds Write | Week of March 17, 2025 |
| CVE-2025-27363 | FreeType truetype/ttgload.c load_truetype_glyph() Function Font Subglyph Structure Parsing Integer Overflow | Week of March 17, 2025 |
| CVE-2025-2000 | IBM Qiskit SDK qiskit.qpy.load() Function QPY File Handling Insecure Deserialization | Week of March 17, 2025 |
| CVE-2025-27636 CVE-2025-29891 | Apache Camel support/DefaultHeaderFilterStrategy.java Letter Case / Parameter Handling Filter Bypass Header Injection | Week of March 17, 2025 |
| CVE-2025-1496 | BG-TEK Coslat Hotspot Improper Authentication Attempt Restriction Remote Brute-Force Weakness | Week of March 24, 2025 |
| CVE-2025-27781 | Applio inference.py / tts.py model_file Parameter Insecure Deserialization Remote Code Execution | Week of March 24, 2025 |
| CVE-2025-29913 | NASA CryptoLib core/crypto_tc.c Crypto_TC_Prep_AAD() Function Integer Underflow Remote Heap Buffer Overflow | Week of March 24, 2025 |
| CVE-2025-2746 | Kentico Xperience (Kentico CMS) AuthenticateToken() Function /CMSPages/Staging/SyncServer.asmx Endpoint Invalid Username Handling Remote Authentication Bypass | Week of March 24, 2025 |
| CVE-2025-29927 | Next.js Middleware x-middleware-subrequest Header Handling Remote Authorization Bypass | Week of March 24, 2025 |
| CVE-2025-1974 CVE-2025-2787 | NGINX Ingress Controller (ingress-nginx) Admission Controller Ingress Object Handling Configuration Injection (IngressNightmare) | Week of March 31, 2025 |
| CVE-2025-30259 | WhatsApp Cloud Unspecified PDF File Handling | Week of March 31, 2025 |
| CVE-2025-2783 | Google Chrome Mojo Improper Sentinel Handle Value Handling | Week of March 31, 2025 |
| CVE-2025-30216 | NASA CryptoLib core/crypto_tm.c Crypto_TM_Process_Setup() Function Secondary Header Length Handling Remote Heap Buffer Overflow | Week of March 31, 2025 |
| CVE-2025-22457 | Ivanti Multiple Products WebRequest::dispatchRequest() Function X-Forwarded-For Header Handling Remote Stack Buffer Overflow | Week of April 2, 2025 |
| CVE-2025-2071 | FAST LTA Silent Bricks WebUI Multiple Parameter Remote OS Command Injection | Week of April 2, 2025 |
| CVE-2025-30356 | NASA CryptoLib core/crypto_tc.c Crypto_TC_ApplySecurity_Cam() Function Frame Length Field Integer Underflow Remote Heap Buffer Overflow | Week of April 2, 2025 |
| CVE-2025-3015 | Open Asset Import Library (assimp) AssetLib/ASE/ASELoader.cpp ASEImporter::BuildUniqueRepresentation() Function Out-of-bounds Read Arbitrary Code Execution | Week of April 2, 2025 |
| CVE-2025-31129 | Jooby internal/pac4j/SessionStoreImpl.java SessionStoreImpl::strToObject() Function Insecure Deserialization Remote Code Execution | Week of April 2, 2025 |
| CVE-2025-3248 | Langflow backend/base/langflow/api/v1/validate.py post_validate_code() Function Missing Authentication | Week of April 7, 2025 |
| CVE-2025-27797 | Inaba Denki Sangyo AC-WPS-11ac Series Unspecified Remote OS Command Execution | Week of April 7, 2025 |
| CVE-2025-27690 | Dell PowerScale OneFS Unspecified Default Password | Week of April 7, 2025 |
| CVE-2025-32375 | BentoML Runner Server Request Handling Insecure Deserialization | Week of April 7, 2025 |
| VulnDB ID: 398725 | Amazon AWS Simple Storage Service Nonexistent Cloud Resource Uncontrolled Search Path Element | Week of April 7, 2025 |
| CVE-2025-32433 | Erlang/OTP SSH ssh_connection.erl Missing Authentication SSH Protocol Message Handling | Week of April 12, 2025 |
| CVE-2025-1980 | Symfonia Ready_ Profile Section File Upload | Week of April 12, 2025 |
| CVE-2025-32068 | OAuth Extension for MediaWiki Repository/RefreshTokenRepository.php isRefreshTokenRevoked() Function Refresh Token Permission Revocation Validation | Week of April 12, 2025 |
| CVE-2025-31201 | Apple Multiple Products RPAC Unspecified Pointer Authentication Bypass | Week of April 12, 2025 |
| CVE-2025-3495 | Delta Electronics COMMGR Session ID Generation Insufficient Entropy Remote Brute-Force Weakness | Week of April 12, 2025 |
| CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader Improper Authorization File Upload | Week of April 17, 2025 |
| CVE-2025-42599 | Active! Mail Request Handling Unspecified Remote Stack Buffer Overflow | Week of April 17, 2025 |
| CVE-2025-32445 | Argo Events Improper Template Property Privilege Management Remote Privilege Escalation | Week of April 17, 2025 |
| VulnDB ID: 400516 | ManageEngine OpManager Unspecified Search Logs Handling Path Traversal Remote Issue | Week of April 17, 2025 |
| CVE-2025-22372 | Sicomm BASEC Unspecified Insufficiently Protected Credentials Remote Password Disclosure | Week of April 17, 2025 |
Transform Vulnerability Management with Flashpoint
Fill out the form to the left to subscribe to our newsletter, which features Flashpoint’s leading data and intelligence. Request a demo today to see how Flashpoint can transform your vulnerability management and exposure identification program.