In this week's Security Advisory:
It is being reported that these vulnerabilities are now being exploited in the wild. Users should patch immediately if they have not done so already.
More Reading/InformationOriginal Advisory:
Simple Help is a remote support software that allows an IT staff to remotely access user workstations without the user's interactions. The most critical vulnerability CVE-2024-57726 (CVSS 9.9/10), allows an attacker with technician access to elevate themselves to an admin role. These attackers can then interact with user machines if unattended access is configured. Two other high-severity vulnerabilities were also fixed in the released patch, CVE-2024-57727 (CVSS 7.5/10) and CVE-2024-57728 (CVSS 7.2/10).
Affected Versions
More Reading/Information
Cisco has released an advisory for a critical privilege escalation vulnerability in its Meeting Management application. The vulnerability, CVE-2025-20156 (CVSS 9.9), resides in the REST API and could allow a remote authenticated user to escalate their privileges from a low level to an admin role. Successful exploitation would allow an attacker to control all nodes the affected application manages.
Affected Versions
More Reading/Information
VMware released an advisory yesterday for an SQL injection vulnerability in its Avi Load Balancer. This application helps organizations distribute and manage incoming traffic across multiple servers as well as web app security. The vulnerability, CVE-2025-22217 (CSS 8.6/10), could lead to an attacker gaining wider access to a database.
Affected Versions
More Reading/Information
Apple has announced updates to a variety of its products addressing multiple vulnerabilities, including a zero-day vulnerability that it says has been exploited in the wild. The zero-day vulnerability, CVE-2025-24085, affects the CoreMedia function of Apple iOS and reports suggest it has been actively exploited against versions of iOS before 17.2. If exploited the vulnerability could permit a malicious application to elevate its privilege.
Affected Versions
More Reading/Information
QNAP has released a patch for six rsync vulnerabilities affecting its HBS 3 Hybrid Backup Sync. The vulnerabilities could be chained together by a remote user to execute arbitrary code on the system. The attacker would need at least read access to the server to be able to exploit these vulnerabilities.
Affected Versions
More Reading/Information
Security researchers issued a warning that a critical zero-day vulnerability affecting Zyxel CPE Series devices is being exploited in the wild. The vulnerability, CVE-2024-40891, is a critical command injection vulnerability that has not been publicly disclosed or patched. No patch is available currently, users are advised to follow the recommendations below if they use a Zyxel CPE device.
More Reading/Information
Google Chrome has released a new version to address multiple vulnerabilities. The most critical of these vulnerabilities could lead to a remote code execution attempt. There are no reports of these being exploited in the wild yet.
More Reading/Information
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.