In this week's Security Advisory:
A critical vulnerability has been discovered in AMI's MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication. The vulnerability, CVE-2024-54085 (CVSS 10/10), can be exploited by a local or remote attacker by exploiting the remote management interface or via the BMC interface. Once compromised the threat actor would have full access to the server.
Affected Versions
More Reading/Information
Cisco has released patches for ten vulnerabilities affecting its IOS XR software, five of which, when exploited, result in a DoS condition. The most severe DoS flaws are CVE-2025-20142
Affected Versions
More Reading/Information
Nvidia released patches for two vulnerabilities in their Rivia service. Rivia is a multilingual translation service for building AI language models. Both vulnerabilities, CVE-2025-23242 (CVSS 7.3/10) and CVE-2025-23242 (CVSS 6.5/10) are improper access control issues. Successful exploitation could lead to privilege escalation, data tempering, denial of service, or information disclosure.
Affected Versions
More Reading/Information
SAP released its March patch bundle and it included twenty-one new vulnerabilities affecting its Commerce, NetWeaver, and Commerce Cloud products. The highest severity vulnerabilities are CVE-2025-27434 and CVE-2025-26661 (CVSS 8.8/10), which are XSS vulnerabilities that can lead to an unauthenticated attacker injecting malicious code.
Affected Versions
More Reading/Information
Meta warned of a security vulnerability that impacts the FreeType open-source font rendering library and that it may be under active exploit in the wild. The vulnerability, CVE-2025-27363 (CVSS 8.1/10), is described as an out-of-bounds write flaw that could be exploited to achieve arbitrary remote code execution.
Affected Versions
More Reading/Information
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.