Patch/Configuration Management

Misuse of the vulnerable $where operator can allow arbitrary code to be executed on a Node.js application server.

The collaboration seeks to address gaps between cloud infrastructure and application security, allowing organizations to gain improved visibility.

Threat actors exploiting the flaw, tracked as CVE-2025-24989, could achieve privilege escalation in targeted networks and user registration control evasion to facilitate unauthorized site access, reported Microsoft, which noted the issue to impact only certain Power Pages users, who were urged to examine their websites for possible compromise.

Aside from including individuals' names, birthdates, email addresses, phone numbers, vaccination statuses, and medication details, other surveys in the misconfigured database also had information on adverse COVID-19 vaccine reactions, pregnancy status, birth control usage, and physician's names.

The critical SonicOS SSLVPN flaw and high-severity PAN-OS flaw both risk authentication bypass.

Security consultancy Quarkslab said that the flaw could allow threat actors to bypass USB lockouts.

If the VerifyHostKeyDNS option is activated, an attacker could impersonate a server to hijack SSH sessions.

Maintained by the Forum of Incident Response and Security Teams and used to assess the severity of software vulnerabilities, CVSS has recently been challenged anew for its complexity, perceived imprecision, and potential misuse.