Cybersecurity threats are evolving rapidly, and even widely used software can have serious flaws. Here are four major vulnerabilities discovered recently that you should know about:
1. Microsoft WSUS – Remote Code Execution
- CVE: CVE-2025-59287
- CVSS Score: 9.8 (Critical)
- Discovered: October 24, 2025
- Summary:
- This vulnerability affects Windows Server Update Services (WSUS).
- Attackers can exploit unsafe deserialization in WSUS reporting services to execute arbitrary code.
- Exploitation grants SYSTEM-level privileges, enabling ransomware deployment or command-and-control channels.
- The flaw was actively exploited in the wild immediately after disclosure.
- Microsoft released an out-of-band patch; organizations should apply it and restrict WSUS ports to trusted sources.
2. Microsoft Graphics Component – Use-After-Free
- CVE: CVE-2025-49708
- CVSS Score: 9.9 (Critical)
- Discovered: October 14, 2025
- Summary:
- This vulnerability exists in the Microsoft Graphics Component.
- It is a memory corruption issue caused by a Use-After-Free bug.
- Attackers can exploit it to execute arbitrary code remotely or escalate privileges.
- While no active exploitation was confirmed at disclosure, its severity demands immediate patching.
- Apply Microsoft’s October Patch Tuesday update to mitigate this risk.
3. Redis – Remote Code Execution via Lua Sandbox Escape
- CVE: CVE-2025-49844
- CVSS Score: 10.0 (Critical)
- Discovered: November 2025
- Summary:
- A 13-year-old bug in Redis was discovered, allowing attackers to escape the Lua scripting sandbox.
- Exploitation requires authenticated access but can lead to full host compromise.
- Attackers can execute arbitrary native code, steal data, and move laterally in cloud environments.
- Redis and Valkey have released patched versions; immediate updates are essential.
- Organizations using Redis in cloud environments are at high risk if not patched.
4. React Native CLI – Remote Code Execution
- CVE: CVE-2025-11953
- CVSS Score: 9.8 (Critical)
- Discovered: November 4, 2025
- Summary:
- This vulnerability affects the popular React Native development environment.
- Attackers can exploit unsafe handling of user input in the CLI’s
/open-urlendpoint. - Exploitation allows arbitrary OS commands to run on developer machines.
- Millions of developers using React Native are potentially exposed.
- A patch is available in version 20.0.0; developers should update immediately.
Why CVSS Scores Matter
- 9.0–10.0 = Critical (Act immediately!)
- 7.0–8.9 = High (Fix ASAP)
Bottom line: If you use Microsoft WSUS, Microsoft Graphics Component, Redis, or React Native, patch immediately and review your security controls.