Cybersecurity Alert: Critical Vulnerabilities Exposed!

Daily Cybersecurity Roundup

Good day, cybersecurity enthusiasts! Today’s briefing highlights a mixed bag of critical vulnerabilities and industry news. We’re seeing high-severity issues across a range of products – from IBM’s Backup, Recovery and Media Services to multiple vulnerabilities in Dell’s ControlVault offerings, and even some hot-off-the-press critical issues affecting OpenC3 COSMOS and TOTOLINK devices. Grab a cup of tea, and let’s dive into the latest details.

IBM Backup, Recovery and Media Services Vulnerability

IBM’s Backup, Recovery and Media Services for i (versions 7.4 and 7.5) harbour a vulnerability (CVE-2025-33108) that could allow an attacker, already in a limited position, to gain elevated privileges. This happens because of an unqualified call within a BRMS program. Essentially, what appears to be an innocent library call might lead to code running with broader access – a good reminder to always keep systems patched and process reviews top of mind.

Multiple Dell ControlVault Vulnerabilities

Dell’s ControlVault products are under the microscope today with several high-severity vulnerabilities:

• Arbitrary Free Vulnerability (CVE-2025-25215): An issue in the cv_close functionality of ControlVault3 and ControlVault3 Plus may result in an arbitrary free, allowing a malicious actor to forge a fake session and trigger the vulnerability.
• Deserialization Vulnerability (CVE-2025-24919): Problems with deserialising untrusted input can permit arbitrary code execution if a specially crafted response is issued.
• Out-of-Bounds Write (CVE-2025-25050): A crafted API call might trigger an out-of-bounds write in the sensor firmware upgrade function.
• Stack-Based Buffer Overflow (CVE-2025-24922): A vulnerability within the securebio_identify function could lead to code execution via a malicious cv_object.
• Out-of-Bounds Read (CVE-2025-24311): This flaw in the cv_send_blockdata functionality can cause an information leak, which attackers could exploit with a carefully timed API call.

These issues serve as a stark reminder that even trusted hardware and firmware layers are not immune to vulnerabilities.

Drupal and Web Application Concerns

Drupal users should be wary of several cross-site scripting (XSS) vulnerabilities today:

• Drupal Simple Klaro (CVE-2025-48918): Improper input neutralisation in web page generation opens the door to XSS attacks.
• Drupal COOKiES Consent Management (CVE-2025-48914 & CVE-2025-48915): Two separate XSS vulnerabilities have been identified, emphasising the need for stringent input validation within consent management systems.

The issue is a classic case of why robust coding and continuous security testing remain essential for content management systems.

Tenable Agent Local Privilege Escalation Issues

Attention Tenable Agent users, particularly on Windows hosts – two privilege escalation vulnerabilities have been identified:

• Arbitrary File Deletion (CVE-2025-36633): Non-administrative users may delete critical system files, potentially escalating their privileges.
• Arbitrary File Overwrite (CVE-2025-36631): A related flaw where local system files can be overwritten with log content at SYSTEM privilege.

These vulnerabilities should prompt immediate review and the application of necessary patches to maintain system integrity.

OpenC3 COSMOS: Critical Vulnerabilities

OpenC3 COSMOS 6.0.0 faces several critical vulnerabilities which could significantly compromise system security:

• Password Bypass (CVE-2025-28389): Weak password requirements may allow attackers to bypass authentication altogether via brute force.
• Directory Traversal (CVE-2025-28384): A flaw in the script API endpoint enables attackers to navigate directories that should be off-limits.
• Hardcoded Credentials (CVE-2025-28388): The presence of hardcoded credentials for the Service Account presents a grave security risk.

With some of these issues scoring as critical (up to 9.8 severity), organisations should address them with urgency.

TOTOLINK Buffer Overflow Vulnerability

TOTOLINK N600R devices (v4.3.0cu.7866_B2022506) are affected by a buffer overflow vulnerability (CVE-2025-46060). This flaw within the UPLOAD_FILENAME component might allow remote code execution. It’s yet another instance of how even everyday networking hardware can harbour significant security flaws.

Other Notable Developments

In addition to technical vulnerabilities, the political and business landscapes are also buzzing. House Democrats are calling for a comprehensive review of the NVD and CVE systems – a move that could reshape how vulnerabilities are tracked and addressed in the future. Meanwhile, cybersecurity expertise is on the move with Alex van Someren joining Paladin Capital Group as a Strategic Advisor to bolster advisory efforts on global cyber and AI threats.

On the investment front, market watchers are keeping a close eye on Cenovus Energy Inc. common share purchase warrants (CVE.WT:CA) as part of broader investment strategy analysis. It seems cybersecurity and finance continue to intersect in unexpected ways!

In an environment where vulnerabilities are scored as high as 8.0 and above, maintaining robust security measures is more important than ever. Organisations across all sectors can benefit from thorough compliance practices. Here at Synergos Consultancy, based in Huddersfield, we understand how crucial it is to align with best practices and standards like ISO, GDPR, and more. Whether you’re patching systems or securing your operations through established frameworks, every step fortifies your defences against tomorrow’s threats.

Stay alert, keep your systems updated, and remember – a secure digital space is a shared victory!