Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for May 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation's honeypot network.

Top 10 vulnerabilities of the month

Evolution for the top 5 vulnerabilities

• CVE-2025-31324 - SAP / SAP NetWeaver (Visual Composer development server)
• CVE-2025-4427 - Ivanti / Endpoint Manager Mobile
• CVE-2025-37899 - Linux / Linux
• CVE-2025-4428 - Ivanti / Endpoint Manager Mobile
• CVE-2025-32756 - Fortinet / FortiVoice

Insights from contributors

CVE-2025-22252: Authentication Vulnerability in FortiOS, FortiProxy, and FortiSwitchManager leads to Unauthenticated Admin Access
CVE-2025-22252 is a missing authentication for critical function vulnerability in devices configured to use a remote TACACS+ server for authentication configured to use ASCII authentication. It may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass, potentially resulting in complete system compromise, data theft and service disruption.

CVE-2025-30663: Additional information
In its security release of 13 May 2025, Zoom addressed two vulnerabilities that could be exploited for privilege escalation: • CVE-2025-30663, a time-of-check time-of-use race condition affecting some Zoom Workplace Apps. If successfully exploited, an authenticated user could conduct an escalation of privilege via local access. • CVE-2025-30664 is an improper neutralization of special elements flaw affecting some Zoom Workplace Apps. Successful exploitation could allow an authenticated user to conduct an escalation of privilege via local access.

CVE-2025-41229: More information
The vulnerabilities could be used by attackers to gain access to services and data. They can also be used to execute arbitrary commands and cause a denial of service. Confidentiality, integrity and availability are all impacted. The only solution is to upgrade immediately.

2025-27920: Additional information
Microsoft discovered critical vulnerability CVE-2025-27920 affecting the messaging application Output Messenger. Microsoft additionally observed exploitation of the vulnerability since April 2024. According to Microsoft, the attacker needs to be authenticated, although the Output Messenger advisory indicates that privileges are not required to exploit the vulnerability. An attacker could upload malicious files into the server’s startup directory by exploiting this directory traversal vulnerability. This allows an attacker to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, possibly leading to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.

Continuous exploitation

• CVE-2023-0656 - SonicWall / SonicOS (not in CISA KEV)
• CVE-2022-26134 - Atlassian / Confluence Data Center
• CVE-2019-1653 - Cisco / Cisco Small Business RV Series Router Firmware

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

This project implements a FastAPI-based local server designed to load one or more pre-trained NLP models during startup and expose them through a clean, RESTful API for inference.

For example, it leverages the Hugging Face transformers library to load the CIRCL/vulnerability-severity-classification-distilbert-base-uncased model, which specializes in classifying vulnerability descriptions according to their severity level. The server initializes this model once at startup, ensuring minimal latency during inference requests.

Clients interact with the server via dedicated HTTP endpoints corresponding to each loaded model. Additionally, the server automatically generates comprehensive OpenAPI documentation that details the available endpoints, their expected input formats, and sample responses—making it easy to explore and integrate the services.

The ultimate goal is to enrich vulnerability data descriptions through the application of a suite of NLP models, providing direct benefits to Vulnerability-Lookup and supporting other related projects.

Today we released Vulnerability-Lookup 2.9.0 with new features, enhancements, and bug fixes.

What's New

Adversarial Techniques from MITRE EMB3D

The Adversarial Techniques from MITRE EMB3D are now integrated into Vulnerability-Lookup as a new source and are correlated with existing security advisories.

This feature was contributed by Piotr Kaminski during the last Hack.lu hackathon. (#129)

Global CVE Allocation System (GCVE)

GCVE identifiers are now supported in HTML templates and URL parameters,
thanks to the GCVE Python client.
These identifiers can now be used when disclosing a new vulnerability as part of the Coordinated Vulnerability Disclosure (CVD) process, in alignment with NIS 2 requirements. (8bb3d84, 58c394a)

Trustworthy Level for Members

Members of a Vulnerability-Lookup instance now have a dynamically calculated
trustworthy level based on profile completeness and verification.
Members affiliated with FIRST.org or European CSIRTs (CNW) are automatically
trusted for operations that would otherwise require administrator approval
(e.g., creating comments).

Changes

• New API endpoint for MITRE EMB3D. (c0d6b44)
• Improved the vulnerability disclosure page. (ccfb6b1)
• Added page arguments to the vulnerability/last endpoint. (ce75a7a)
• Notification emails now include a random signoff. (#119)
• Various graphical enhancements. (0878a31)

Fixes

• Fixed editing of notifications for Organization/Product. (#124)

Changelog

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.9.0

🚨 April 2025 Vulnerability Report is out! 🚨

👉 https://www.vulnerability-lookup.org/2025/05/01/vulnerability-report-april-2025/

The most prominent vulnerabilities affect the following products:

• Ivanti / ConnectSecure
• Erlang / OTP
• SAP / SAP NetWeaver

The Continuous Exploitation section highlights several resurgent vulnerabilities (recently exploited at a high rate), including:

• CVE-2017-17215 (Huawei router)
• CVE-2015-2051 (D-Link)

Check out the report for more details.

A huge thank you to all contributors and data sources that make this possible! 🙌

Want to help shape the next report? Join us: 👉 https://vulnerability.circl.lu/user/signup

💻 NISDUC Conference

Vulnerability-Lookup will be presented during the fourth NISDUC conference.

👉 https://www.nisduc.eu/

The Global CVE (GCVE) allocation system is a new, decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.

This client can be integrated into software such as Vulnerability-Lookup to provide core GCVE functionalities by adhering to the Best Current Practices.
It can also be used as a standalone command-line tool.

Examples of usage

As a command line tool

First install the gcve client:

$ python -m pip install --user pipx
$ python -m pipx ensurepath

$ pipx install gcve
  installed package gcve 0.6.0, installed using Python 3.13.0
  These apps are now globally available
    - gcve
done! ✨ 🌟 ✨

Pulling the registry locally

$ gcve registry --pull
Pulling from registry...
Downloaded updated https://gcve.eu/dist/key/public.pem to data/public.pem
Downloaded updated https://gcve.eu/dist/gcve.json.sigsha512 to data/gcve.json.sigsha512
Downloaded updated https://gcve.eu/dist/gcve.json to data/gcve.json
Integrity check passed successfully.

Retrieving a GNA

Note: This operation is case sensitive.

$ gcve registry --get CIRCL
{
  "id": 1,
  "short_name": "CIRCL",
  "cpe_vendor_name": "circl",
  "full_name": "Computer Incident Response Center Luxembourg",
  "gcve_url": "https://vulnerability.circl.lu/",
  "gcve_api": "https://vulnerability.circl.lu/api/",
  "gcve_dump": "https://vulnerability.circl.lu/dumps/",
  "gcve_allocation": "https://vulnerability.circl.lu/",
  "gcve_sync_api": "https://vulnerability.circl.lu/"
}

$ gcve registry --get CIRCL | jq .id
1

Searching the Registry

Note: Search operations are case insensitive.

$ gcve registry --find cert
[
  {
    "id": 680,
    "short_name": "DFN-CERT",
    "full_name": "DFN-CERT Services GmbH",
    "gcve_url": "https://adv-archiv.dfn-cert.de/"
  }
]

More information in the Git repository.

The Global CVE (GCVE) allocation system is a new, decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.

While remaining compatible with the traditional CVE system, GCVE introduces GCVE Numbering Authorities (GNAs). GNAs are independent entities that can allocate identifiers without relying on a centralised block distribution system or rigid policy enforcement.

This release of Vulnerability-Lookup includes new features, better monitoring, improvements and fixes.

What's New

Centralized monitoring service

This feature adds log and process heartbeat reporting to a Valkey datastore, enabling centralized monitoring of Vulnerability-Lookup’s system health and its various components.
(#106)

This new feature is essential for monitoring our expanding suite of tools used to collect vulnerability-related information.

It also supports our new email notification service, which alerts platform users about newly discovered vulnerabilities. Additionally, a new admin view has been introduced, allowing real-time monitoring of the collected logs.

CWE and CAPEC

The CAPEC (Common Attack Pattern Enumerations) and CWE (Common Weakness Enumeration) datasets are now accessible through the API. Check out the documentation.
(#98)

Changes

• [API] Added a new 'since' argument to the /api/vunerability/search/<vendor>/<product> endpoint (833d799)
• [Web] Improved administration dashboard (a732ff3, 0258b24, 04f3772)

Fixes

• Missing description on some description from Microsoft feeds (#107)
• Removed duplicate occurences of the string cvssV4_0 in various Jinja filters. (73c4111)
• Few minor fixes.

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.6.0

Feedback and Support

If you encounter issues or have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Follow us on Fediverse/Mastodon

You can follow us on Mastodon and get real time informationa about security advisories:
https://social.circl.lu/@vulnerability_lookup/

You can star the project on GitHub:
https://github.com/vulnerability-lookup/vulnerability-lookup

Or create an account:
https://vulnerability.circl.lu/

cross-posted from: https://lemmy.ml/post/25836770

Just wanted to share my Pixelfed account: @[email protected]

I like so much this network. A lot of awesome artists are sharing their work there. fan of the accounts @[email protected], @[email protected], @[email protected], @[email protected], @[email protected], and so much more!

Just wanted to share my Pixelfed account: @[email protected]

I like so much this network. A lot of awesome artists are sharing their work there. fan of the accounts @[email protected], @[email protected], @[email protected], @[email protected], @[email protected], and so much more!