Cisco has issued 10 security advisories for vulnerabilities in Cisco IOS XR Software, including seven high and three medium severity issue:
- CVE-2025-20138 (CVSSv3 8.8) allows an authenticated remote attacker with read-only admin credentials to execute commands and escalate privileges.
- CVE-2025-20177 (CVSSv3 6.7) enables attackers to bypass image signature verification and load unverified software.
- CVE-2025-20143 (CVSSv3 6.7) lets an authenticated attacker bypass Secure Boot and install unauthorized software.
Other high-severity flaws could enable denial-of-service (DoS) attacks.
Medium-severity vulnerabilities CVE-2025-20145 (CVSSv3 5.8) and CVE-2025-20144 (CVSSv3 4.0) allow unauthenticated attackers to bypass access control lists (ACLs).
GitHub – A serious security breach has been identified with the tj-actions/changed-files GitHub Action. This action, which tracks file modifications in repositories, has been altered to expose CI/CD secrets—such as passwords, tokens, API keys, PII, and other sensitive data embedded in code—via GitHub Actions build logs. Publicly accessible workflow logs, particularly for open repositories, could allow attackers to harvest these secrets for further malicious activities. This vulnerability is classified as high severity and is tracked under CVE-2025-30066.
The Apache Software Foundation has issued security patches to address a flaw in Apache Tomcat, an open-source web server and servlet container used for deploying Java web applications. Identified as CVE-2025-24813, the vulnerability involves deserialising untrusted data combined with a file name path equivalence issue (Internal dot), enabling an attacker to perform remote code execution, access sensitive files, or modify their contents. This vulnerability has been actively exploited in the wild, and a public proof-of-concept exploit has been released.
Veeam has released a security bulletin regarding a critical flaw in its Backup & Replication product, a proprietary tool for backing up virtual environments across various hypervisors. The vulnerability, designated as CVE-2025-23120, carries a CVSSv4 score of 9.9. If exploited by an authenticated remote attacker with valid domain privileges, it could result in remote code execution (RCE). This critical issue only affects domain-joined backup servers.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Cisco – Security Advisories
GitHub – Advisory Database and Security Advisory (Reviewdog)
Apache – NIST database
Veeam – Support Knowledge Base
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.