This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).
CVE-2025-24991
Vendor: Microsoft
Product: Windows
Added: 2025-03-11
Due Date: 2025-04-01
Description:
Microsoft Windows New Technology File System (NTFS) contains an out-of-bounds read vulnerability that allows an authorized attacker to disclose information locally.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2025-24985
Vendor: Microsoft
Product: Windows
Added: 2025-03-11
Due Date: 2025-04-01
Description:
Microsoft Windows Fast FAT File System Driver contains an integer overflow or wraparound vulnerability that allows an unauthorized attacker to execute code locally.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2025-24984
Vendor: Microsoft
Product: Windows
Added: 2025-03-11
Due Date: 2025-04-01
Description:
Microsoft Windows New Technology File System (NTFS) contains an insertion of sensitive Information into log file vulnerability that allows an unauthorized attacker to disclose information with a physical attack. An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2025-24983
Vendor: Microsoft
Product: Windows
Added: 2025-03-11
Due Date: 2025-04-01
Description:
Microsoft Windows Win32 Kernel Subsystem contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2025-26633
Vendor: Microsoft
Product: Windows
Added: 2025-03-11
Due Date: 2025-04-01
Description:
Microsoft Windows Management Console (MMC) contains an improper neutralization vulnerability that allows an unauthorized attacker to bypass a security feature locally.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2024-13161
Vendor: Ivanti
Product: Endpoint Manager (EPM)
Added: 2025-03-10
Due Date: 2025-03-31
Description:
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2024-13160
Vendor: Ivanti
Product: Endpoint Manager (EPM)
Added: 2025-03-10
Due Date: 2025-03-31
Description:
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2024-13159
Vendor: Ivanti
Product: Endpoint Manager (EPM)
Added: 2025-03-10
Due Date: 2025-03-31
Description:
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2024-57968
Vendor: Advantive
Product: VeraCore
Added: 2025-03-10
Due Date: 2025-03-31
Description:
Advantive VeraCore contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2025-25181
Vendor: Advantive
Product: VeraCore
Added: 2025-03-10
Due Date: 2025-03-31
Description:
Advantive VeraCore contains a SQL injection vulnerability in timeoutWarning.asp that allows a remote attacker to execute arbitrary SQL commands via the PmSess1 parameter.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2025-22226
Vendor: VMware
Product: ESXi, Workstation, and Fusion
Added: 2025-03-04
Due Date: 2025-03-25
Description:
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. Successful exploitation allows an attacker with administrative privileges to a virtual machine to leak memory from the vmx process.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2025-22225
Vendor: VMware
Product: ESXi
Added: 2025-03-04
Due Date: 2025-03-25
Description:
VMware ESXi contains an arbitrary write vulnerability. Successful exploitation allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2025-22224
Vendor: VMware
Product: ESXi and Workstation
Added: 2025-03-04
Due Date: 2025-03-25
Description:
VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2024-50302
Vendor: Linux
Product: Kernel
Added: 2025-03-04
Due Date: 2025-03-25
Description:
The Linux kernel contains a use of uninitialized resource vulnerability that allows an attacker to leak kernel memory via a specially crafted HID report.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2024-4885
Vendor: Progress
Product: WhatsUp Gold
Added: 2025-03-03
Due Date: 2025-03-24
Description:
Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution.
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CWEs: