A
Commvault has issued a security advisory concerning a critical flaw in its Command Center Platform, which serves as a centralised management solution for Commvault services within enterprise environments.
Identified as CVE-2025-34028, the vulnerability is a path traversal issue carrying a maximum CVSSv3 base score of 10.0. Successful exploitation could enable an unauthenticated attacker to upload ZIP files, which, when extracted by the target server, may lead to remote code execution (RCE).
ConnectWise has issued a security update to resolve a vulnerability in on-premises ScreenConnect deployments. The issue lies in the ASP.Net Web Forms framework, which relies on ViewState to maintain page and control state, with data encoded in Base64 and protected by machine keys.
An attacker with elevated system privileges could potentially retrieve the machine keys, enabling them to craft and send a malicious ViewState to the site, which could result in remote code execution (RCE) on the server. The update to ScreenConnect disables the use of ViewState and removes any reliance on it.
SAP has issued a security notice regarding a critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver. Research has shown that this vulnerability is being actively exploited by an initial access broker, allowing unauthenticated attackers to gain unauthorised access to SAP systems. This vulnerability poses significant risks to enterprise environments, including potential data breaches and further system compromise.
This vulnerability has been identified in SAP NetWeaver’s authentication mechanisms, and it allows attackers to bypass security controls. Once exploited, attackers can perform various malicious actions, including lateral movement within the network and privilege escalation.
Craft CMS has issued a security alert concerning two critical vulnerabilities: CVE-2025-32432 and CVE-2024-58136 that are currently being exploited in the wild. These vulnerabilities have been used in combination to compromise approximately 300 out of an estimated 13,000 vulnerable servers.
- CVE-2025-32432: A remote code execution (RCE) vulnerability in Craft CMS's image transformation feature, allowing unauthenticated attackers to execute arbitrary code.
- CVE-2024-58136: An input validation flaw in the Yii PHP framework used by Craft CMS, which can be exploited to access restricted functionality or resources.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Commvault – Security Advisories
ConnectWise – Security Bulletins
SAP – Knowledge Base
Craft CMS – Knowledge Base
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.