In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between March 18-19, 2025.
During this period, The National Vulnerability Database published 72, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 13
Medium: 11
Low: 1
Severity Not Assigned: 42
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-2262
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
References: https://plugins.trac.wordpress.org/browser/gs-logo-slider/trunk/includes/shortcode-builder/builder.php#L31
https://plugins.trac.wordpress.org/browser/gs-logo-slider/trunk/includes/shortcode-builder/builder.php#L51
https://plugins.trac.wordpress.org/browser/gs-logo-slider/trunk/includes/shortcode-builder/builder.php#L65
https://plugins.trac.wordpress.org/changeset/3256441/
https://www.wordfence.com/threat-intel/vulnerabilities/id/3c7cc2d2-8de4-453b-b4dc-48f75b151078?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-0755
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
References: https://jira.mongodb.org/browse/SERVER-94461
CWE-ID: CWE-122
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-24306
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in +F FS010M versions prior to V2.0.0_1101. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker with an administrative privilege.
References: https://fsi-plusf.jp/news/25031701.html
https://jvn.jp/en/jp/JVN11230428/
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-25220
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in +F FS010M versions prior to V2.0.1_1101. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker.
References: https://fsi-plusf.jp/news/25031701.html
https://jvn.jp/en/jp/JVN11230428/
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-23942
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS.
References: https://cert.vde.com/en/advisories/VDE-2024-010
CWE-ID: CWE-311
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-23943
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected.
References: https://cert.vde.com/en/advisories/VDE-2024-010
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-1468
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy.
References: https://cert.vde.com/en/advisories/VDE-2025-022
CWE-ID: CWE-203
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-47539
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may allow a remote unauthenticated attacker to bypass admin login via a crafted HTTP request.
References: https://fortiguard.com/psirt/FG-IR-23-439
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-21760
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 6.0
Description: An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker to execute arbitrary code on the host via a playbook code snippet.
References: https://fortiguard.fortinet.com/psirt/FG-IR-23-420
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-8997
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vestel EVC04 Configuration Interface allows SQL Injection.This issue affects EVC04 Configuration Interface: through 18.03.2025.
References: https://www.usom.gov.tr/bildirim/tr-25-0070
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-2449
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: NI FlexLogger usiReg URI File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of NI FlexLogger. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of URI files by the usiReg component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21805.
References: https://www.zerodayinitiative.com/advisories/ZDI-25-146/
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-2450
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: NI Vision Builder AI VBAI File Processing Missing Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI Vision Builder AI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of VBAI files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22833.
References: https://www.zerodayinitiative.com/advisories/ZDI-25-147/
CWE-ID: CWE-356
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-27688
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell ThinOS 2408 and prior, contains an improper permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
References: https://www.dell.com/support/kbdoc/en-us/000289886/dsa-2025-107
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-56346
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: IBM AIX 7.2 and 7.3 nimesis NIM master service could allow a remote attacker to execute arbitrary commands due to improper process controls.
References: https://www.ibm.com/support/pages/node/7186621
CWE-ID: CWE-114
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-56347
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: IBM AIX 7.2 and 7.3 nimsh service SSL/TLS protection mechanisms could allow a remote attacker to execute arbitrary commands due to improper process controls.
References: https://www.ibm.com/support/pages/node/7186621
CWE-ID: CWE-114
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-24799
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.
References: https://github.com/glpi-project/glpi/security/advisories/GHSA-jv89-g7f7-jwfg
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-24801
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
References: https://github.com/glpi-project/glpi/security/advisories/GHSA-g2p3-33ff-r555
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-12563
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution.
References: https://s2member.com/changelog/
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3326e9d-504f-444f-baf7-03989594f483?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between March 18-19, 2025.
During this period, The National Vulnerability Database published 72, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 13
Medium: 11
Low: 1
Severity Not Assigned: 42
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-2262
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
References: https://plugins.trac.wordpress.org/browser/gs-logo-slider/trunk/includes/shortcode-builder/builder.php#L31
https://plugins.trac.wordpress.org/browser/gs-logo-slider/trunk/includes/shortcode-builder/builder.php#L51
https://plugins.trac.wordpress.org/browser/gs-logo-slider/trunk/includes/shortcode-builder/builder.php#L65
https://plugins.trac.wordpress.org/changeset/3256441/
https://www.wordfence.com/threat-intel/vulnerabilities/id/3c7cc2d2-8de4-453b-b4dc-48f75b151078?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-0755
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
References: https://jira.mongodb.org/browse/SERVER-94461
CWE-ID: CWE-122
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-24306
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in +F FS010M versions prior to V2.0.0_1101. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker with an administrative privilege.
References: https://fsi-plusf.jp/news/25031701.html
https://jvn.jp/en/jp/JVN11230428/
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-25220
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in +F FS010M versions prior to V2.0.1_1101. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker.
References: https://fsi-plusf.jp/news/25031701.html
https://jvn.jp/en/jp/JVN11230428/
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-23942
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS.
References: https://cert.vde.com/en/advisories/VDE-2024-010
CWE-ID: CWE-311
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-23943
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected.
References: https://cert.vde.com/en/advisories/VDE-2024-010
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-1468
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy.
References: https://cert.vde.com/en/advisories/VDE-2025-022
CWE-ID: CWE-203
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-47539
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may allow a remote unauthenticated attacker to bypass admin login via a crafted HTTP request.
References: https://fortiguard.com/psirt/FG-IR-23-439
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-21760
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 6.0
Description: An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker to execute arbitrary code on the host via a playbook code snippet.
References: https://fortiguard.fortinet.com/psirt/FG-IR-23-420
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-8997
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vestel EVC04 Configuration Interface allows SQL Injection.This issue affects EVC04 Configuration Interface: through 18.03.2025.
References: https://www.usom.gov.tr/bildirim/tr-25-0070
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-2449
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: NI FlexLogger usiReg URI File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of NI FlexLogger. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of URI files by the usiReg component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21805.
References: https://www.zerodayinitiative.com/advisories/ZDI-25-146/
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-2450
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: NI Vision Builder AI VBAI File Processing Missing Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI Vision Builder AI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of VBAI files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22833.
References: https://www.zerodayinitiative.com/advisories/ZDI-25-147/
CWE-ID: CWE-356
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-27688
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell ThinOS 2408 and prior, contains an improper permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
References: https://www.dell.com/support/kbdoc/en-us/000289886/dsa-2025-107
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-56346
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: IBM AIX 7.2 and 7.3 nimesis NIM master service could allow a remote attacker to execute arbitrary commands due to improper process controls.
References: https://www.ibm.com/support/pages/node/7186621
CWE-ID: CWE-114
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-56347
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: IBM AIX 7.2 and 7.3 nimsh service SSL/TLS protection mechanisms could allow a remote attacker to execute arbitrary commands due to improper process controls.
References: https://www.ibm.com/support/pages/node/7186621
CWE-ID: CWE-114
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-24799
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.
References: https://github.com/glpi-project/glpi/security/advisories/GHSA-jv89-g7f7-jwfg
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-24801
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
References: https://github.com/glpi-project/glpi/security/advisories/GHSA-g2p3-33ff-r555
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-12563
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution.
References: https://s2member.com/changelog/
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3326e9d-504f-444f-baf7-03989594f483?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found