Fortinet has released security updates to address 18 vulnerabilities across multiple products, including FortiOS, FortiProxy, FortiPAM, FortiSRA, FortiWeb, FortiSIEM, FortiSandbox, FortiIsolator, and FortiADC. The most critical flaws include CVE-2023-48790, an unauthenticated cross-site scripting (XSS) issue in FortiNDR, and CVE-2024-45325, which allows privileged attackers to execute commands in FortiOS and related products. Other high-severity vulnerabilities include remote database access in FortiSIEM (CVE-2023-40723), privilege escalation in FortiSandbox (CVE-2024-45328), and code execution in FortiIsolator (CVE-2024-55590). Fortinet has also patched medium-severity issues related to arbitrary file writing, command execution, and web firewall bypasses. Users are urged to apply the latest patches immediately to secure their systems.
Apple has released emergency security updates to fix a zero-day vulnerability in the WebKit browser engine, tracked as CVE-2025-24201. This out-of-bounds write issue has been actively exploited in sophisticated attacks. The vulnerability could be triggered by tricking a user into visiting a malicious website, potentially allowing attackers to execute arbitrary code. Devices affected include iPhones, iPads, and macOS systems, specifically iPhone 8 and later, iPad Air (3rd generation) and later, iPad Pro models, and Macs running macOS Sonoma. This marks the third actively exploited zero-day vulnerability Apple has patched in 2025.
Zoom has addressed five vulnerabilities in its applications, four of which are classified as high severity. The high-severity vulnerabilities, identified as CVE-2025-27440, CVE-2025-27439, CVE-2025-0151, and CVE-2025-0150, are memory-related issues that could be exploited for privilege escalation via network access, requiring authentication. These flaws affect Zoom Workplace, Rooms Controller, Rooms Client, and Meeting SDK products prior to version 6.3.0. Additionally, a medium-severity vulnerability related to data authenticity verification could allow an unprivileged user to conduct denial-of-service (DoS) attacks through network access.
Ivanti's Endpoint Manager Mobile (EPMM) has three critical vulnerabilities: CVE-2023-35078, CVE-2023-35081, and CVE-2023-35082 that are now being actively exploited. CVE-2023-35078 allows unauthenticated attackers to bypass authentication and access sensitive APIs, while CVE-2023-35081 enables arbitrary file writing. CVE-2023-35082 is an authentication bypass flaw that grants unauthorised access to system functionalities.
Cisco has released 10 security advisories addressing multiple vulnerabilities, including seven high and three medium severity advisories affecting Cisco IOS XR Software, which is a networking software system:
- CVE-2025-20138 is an 'improper neutralisation of special elements used in an OS Command' vulnerability with a CVSSv3 score of 8.8. Successful exploitation could allow an authenticated, remote attacker to execute arbitrary commands and elevate privileges on an affected device, provided that the attacker has valid read-only administrative credentials.
- CVE-2025-20177 is an 'improper handling of insufficient privileges' vulnerability with a CVSSv3 score of 6.7. This vulnerability could allow an attacker to bypass Cisco IOS XRimage signature verification and load unverified software.
- CVE-2025-20143 is an 'improper verification of cryptographic signature' vulnerability with a CVSSv3 score of 6.7. This vulnerability could allow an authenticated, remote attacker to bypass the Secure Boot functionality and load unverified software on an affected device, provided that the attacker has valid read-only administrative credentials.
Other high severity vulnerabilities could allow an authenticated, remote attacker to conduct a denial-of-service (DoS) attack on an affected device.
Adobe has released security updates addressing multiple critical vulnerabilities in Adobe Acrobat, all with a CVSS score of 7.8 and capable of leading to arbitrary code execution:
- CVE-2025-27174, CVE-2025-27159, and CVE-2025-27160 are Use After Free vulnerabilities that could allow attackers to execute arbitrary code, with some requiring user interaction.
- CVE-2025-27158 and CVE-2025-27162 involve Access of Uninitialized Pointer flaws, potentially leading to code execution without user privileges.
- CVE-2025-27161 is an Out-of-Bounds Read issue that could also enable arbitrary code execution.
Critical vulnerabilities affecting Adobe – Illustrator, Adobe InDesign Desktop and Adobe – Substance3D – Sampler.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Fortinet – PSIRT Advisories
Apple – Security Releases
Zoom – Security Bulletin
Ivanti – CISA Known Exploited Vulnerabilities Catalog
Cisco – Security Advisories
Adobe – Security Bulletin
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.