Weekly Briefing: Top 5 Hacker-Relevant Vulnerabilities

Jan 31, 2025

ENTRYZERO
Every 15 minutes, a new vulnerability emerges, leading to an average of around 650 new vulnerabilities each week — an overwhelming pace to manage. The average cost of a data breach has skyrocketed to a record high of $4.45 million globally. To help organizations allocate resources effectively and address the most risky vulnerabilities, we are developing a novel decision-tree-based prioritization approach. Trained on over 100,000 vulnerabilities and threat intelligence, this method extends industry standards like CVSS and EPSS, capturing the real-time risk and context of new vulnerabilities (shoutout to VulnCheck for providing comprehensive and current CVE data). In this blog, we present the top 5 vulnerabilities of the week based on a sub-tree of the model.
Product | Access Vector | Description | CVE | References
Calendar Week 05 2025
Microsoft Windows | Unauthenticated Remote Attack | NTLMv2 Hash Disclosure Spoofing Vulnerability | CVE-2024-43451 | Details, PoC
VMware Avi Load Balancer | Unauthenticated Remote Attack | SQL Injection Vulnerability | CVE-2025-22217 | Details
Oracle JD Edwards EnterpriseOne Tools | Unauthenticated Remote Attack | Code Injection Vulnerability | CVE-2025-21524 | Details
QNAP QTS and QuTS hero | Unauthenticated Remote Attack | Link Following Vulnerability | CVE-2024-53691 | Details, PoC
Liferay Portal | Unauthenticated Remote Attack | Cross-Site Scripting (XSS) Vulnerability | CVE-2024-25608 | Details
Calendar Week 04 2025
Mitel MiCollab | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-41713 | Details, PoC
Next.js | Unauthenticated Remote Attack | Authorization Bypass Vulnerability | CVE-2024-46982 | Details, PoC
SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Server (CMS) | Unauthenticated Remote Attack | Deserialization of Untrusted Data Vulnerability | CVE-2025-23006 | Details
Jenkins Bitbucket Server Integration and OpenID Connect Authentication Plugins | Unauthenticated Remote Attack | Multiple Vulnerabilities Including Cross-Site Request Forgery (CSRF) and Incorrect Default Permissions | CVE-2025-24398, CVE-2025-24399 | Details
Linear eMerge e3-Series | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-9441 | Details, PoC
Calendar Week 03 2025
Microsoft Configuration Manager | Unauthenticated Remote Attack | SQL Injection Vulnerability | CVE-2024-43468 | Details, PoC
Fortinet FortiOS | Unauthenticated Remote Attack | Authorization Bypass Vulnerability | CVE-2024-55591 | Details, PoC
Kubernetes kubelet | Authenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-10220 | Details, PoC
Windows OLE | Unauthenticated Remote Attack | Use After Free Vulnerability | CVE-2025-21298 | Details
Oracle Agile PLM Framework | Unauthenticated Remote Attack | Incorrect Authorization Vulnerability | CVE-2024-21287 | Details
Calendar Week 02 2025
Aviatrix Controller | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-50603 | Details, PoC
WordPress GiveWP Donation Plugin and Fundraising Platform | Unauthenticated Remote Attack | PHP Object Injection Vulnerability | CVE-2024-8353 | Details, PoC
Ivanti Connect Secure, Policy Secure, and ZTA Gateways | Unauthenticated Remote Attack | Stack-Based Buffer Overflow Vulnerabilities | CVE-2025-0282, CVE-2025-0283 | Details
Oracle WebLogic Server | Unauthenticated Remote Attack | Improper Deserialization Vulnerability | CVE-2020-2883 | Details, PoC
SonicWall SonicOS SSLVPN | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-53704 | Details
Calendar Week 01 2025
Windows Lightweight Directory Access Protocol (LDAP) | Unauthenticated Remote Attack | Denial of Service Vulnerability | CVE-2024-49113 | Details, PoC
Apache Traffic Control | Authenticated Remote Attack | SQL Injection Vulnerability | CVE-2024-45387 | Details, PoC
Oracle WebLogic Server | Unauthenticated Remote Attack | Java Naming and Directory Interface (JNDI) Injection Vulnerability | CVE-2024-21182 | Details, PoC
Progress WhatsUp Gold | Unauthenticated Remote Attack | Multiple Vulnerabilities Including Authentication Bypass and LDAP Configuration | CVE-2024-12106, CVE-2024-12108 | Details
D-Link DIR-845L router | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-33112 | Details
Calendar Week 52 2024
Apache Tomcat | Unauthenticated Remote Attack | Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability | CVE-2024-56337 | Details, PoC
Splunk Enterprise | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-36991 | Details, PoC
Craft CMS | Unauthenticated Remote Attack | Code Injection Vulnerability | CVE-2024-56145 | Details, PoC
libxml2 | Unauthenticated Remote Attack | External Entity Injection Vulnerability | CVE-2024-40896 | Details
Adobe ColdFusion | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-53961 | Details
Calendar Week 51 2024
Apache Tomcat | Unauthenticated Remote Attack | Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability | CVE-2024-50379 | Details, PoC
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-12356 | Details
Spring Framework | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-38819 | Details, PoC
Sophos Firewall | Unauthenticated Remote Attack | Multiple Vulnerabilities Including Code Injection, Weak Credentials and SQL Injection | CVE-2024-12727, CVE-2024-12728, CVE-2024-12729 | Details
Kerio Control | Unauthenticated Remote Attack | HTTP Response Splitting Vulnerability | CVE-2024-52875 | Details, PoC
Calendar Week 50 2024
Cleo Harmony, VLTrader and LexiCom | Unauthenticated Remote Attack | Unrestricted File Upload and Download Vulnerability | CVE-2024-50623 | Details, PoC
Ivanti Cloud Service Appliance | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-11639 | Details
WordPress Plugins - Widget Options, WP Umbrella, My Geo Posts | Unauthenticated Remote Attack | Multiple Vulnerabilities Including Improper Input Sanitization, Arbitrary File Upload and Deserialization of Untrusted Data | CVE-2024-8672, CVE-2024-12209, CVE-2024-52433 | Details1, Details2, Details3, PoC1, PoC2, PoC3
Microsoft Windows LDAP and Common Log File Systems | Unauthenticated Remote Attack | Multiple Vulnerabilities Including Remote Code Execution and Heap-based Buffer Overflow | CVE-2024-49112, CVE-2024-49138 | Details1, Details2
Apache Struts | Unauthenticated Remote Attack | Unrestricted File Upload Vulnerability | CVE-2024-53677 | Details
Calendar Week 49 2024
Zabbix Server | Authenticated Remote Attack | SQL Injection Vulnerability | CVE-2024-42327 | Details, PoC
ProjectSend | Unauthenticated Remote Attack | Improper Authentication Vulnerability | CVE-2024-11680 | Details, PoC
SailPoint IdentityIQ | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-10905 | Details
TP-Link Archer, Deco, and Tapo Series Routers | Authenticated Remote Attack | Command Injection Vulnerability | CVE-2024-53375 | Details, PoC
7-Zip Zstandard Decompression | Unauthenticated Remote Attack | Integer Underflow Vulnerability | CVE-2024-11477 | Details, PoC
Calendar Week 48 2024
CleanTalk Spam Protection and Firewall Plugin for WordPress | Unauthenticated Remote Attack | Authorization Bypass Vulnerability | CVE-2024-10542 | Details, PoC
OpenSSL | Unauthenticated Remote Attack | Memory Corruption and Command Injection Vulnerabilities | CVE-2024-5535, CVE-2022-2274, CVE-2022-1292, CVE-2022-2068 | Details, PoC1, PoC2
Zyxel ATP and USG Flex Firewall | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-42057 | Details
QNAP QuRouter | Unauthenticated Remote Attack | Command Injection Vulnerabilities | CVE-2024-48860, CVE-2024-48861 | Details
Kubernetes Kubelet | Authenticated Remote Attack | Path Traversal Vulnerability | Details
Calendar Week 47 2024
Palo Alto PAN-OS | Unauthenticated Remote Attack | Authentication Bypass and Command Injection Vulnerabilities | CVE-2024-0012, CVE-2024-9474 | Details1, Details2, PoC1, PoC2
WordPress WP Time Capsule Backup and Staging Plugin | Unauthenticated Remote Attack | Arbitrary File Upload Vulnerability | CVE-2024-8856 | Details, PoC
WordPress Really Simple Security Plugin | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-10924 | Details, PoC
Citrix Session Recording | Authenticated Remote Attack | Authenticated Remote Attack | CVE-2024-8069 | Details, PoC
SAP BusinessObjects Business Intelligence Platform | Unauthenticated Remote Attack | Missing Authentication Check Vulnerability | CVE-2024-41730 | Details, PoC
Calendar Week 46 2024
Rocket.Chat | Unauthenticated Remote Attack | Server-Side Request Forgery (SSRF) Vulnerability | CVE-2024-39713 | Details, PoC
D-Link NAS Devices | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-10914 | Details, PoC
Fortinet FortiManager | Unauthenticated Remote Attack | Missing Authentication Vulnerability | CVE-2024-47575 | Details, PoC
Nginx UI | Unauthenticated Remote Attack | Logrotate Misconfiguration Vulnerability | CVE-2024-49368 | Details, PoC
LiteSpeed Cache | Unauthenticated Remote Attack | Insufficiently Protected Credentials Vulnerability | CVE-2024-44000 | Details, PoC
Calendar Week 45 2024
Jenkins Command Line Interface | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-23987 | Details, PoC
ScienceLogic SL1 | Unauthenticated Remote Attack | Remote Code Execution Vulnerability | CVE-2024-9537 | Details
Cisco Ultra-Reliable Wireless Backhaul Access Points | Unauthenticated Remote Attack | Improper Input Validation Vulnerability | CVE-2024-20418 | Details
HPE Aruba Networking Access Points | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-42509 | Details
Symphony PHP framework | Unauthenticated Remote Attack | Improper Input Validation Vulnerability | CVE-2024-50340 | Details, PoC
Calendar Week 44 2024
CyberPanel | Unauthenticated Remote Attack | Authentication Bypass and Command Injection Vulnerabilities | CVE-2024-51567, CVE-2024-51378 | Details, PoC1, PoC2
RoundCube Webmail | Unauthenticated Remote Attack | Cross-Site Scripting (XSS) Vulnerability | CVE-2024-37383 | Details, PoC
PyTorch | Unauthenticated Remote Attack | Insecure Deserialization Vulnerability | CVE-2024-48063 | Details, PoC
Microsoft Sharepoint | Authenticated Remote Attack | Insecure Deserialization Vulnerability | CVE-2024-38094 | Details
Microsoft Windows Server | Authenticated Remote Attack | Elevation of Privilege Vulnerability | CVE-2024-43532 | Details
Calendar Week 43 2024
Grafana | Authenticated Remote Attack | Code Injection Vulnerability | CVE-2024-9264 | Details, PoC1, PoC2
pfSense | Unauthenticated Remote Attack | Cross-Site Scripting (XSS) Vulnerability | CVE-2024-46538 | Details, PoC
Fortinet FortiManager | Unauthenticated Remote Attack | Missing Authentication Vulnerability | CVE-2024-47575 | Details1, Details2
WordPress TI WooCommerce Wishlist Plugin | Unauthenticated Remote Attack | SQL Injection Vulnerability | CVE-2024-43917 | Details, PoC
WordPress Premium ARForms Form Builder Plugin | Unauthenticated Remote Attack | Unauthenticated File Upload Vulnerability | CVE-2024-4620 | Details, PoC
Calendar Week 42 2024
ConnectWise ScreenConnect | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-1709 | Details
GitHub Enterprise Server | Unauthenticated Remote Attack | Improper Verification of Cryptographic Signature | CVE-2024-9487 | Details
Ruby SAML | Unauthenticated Remote Attack | Improper Verification of SAML Response Signature | CVE-2024-45409 | Details, PoC
Mozilla Firefox and Firefox ESR | Unauthenticated Remote Attack | Use After Free Vulnerability | CVE-2024-9680 | Details, PoC
Veeam Backup and Replication | Unauthenticated Remote Attack | Deserialization of Untrusted Data Vulnerability | CVE-2024-40711 | Details, PoC
Calendar Week 41 2024
Palo Alto Networks Expedition | Unauthenticated Remote Attack | OS and SQL Injection Vulnerabilities | CVE-2024-9463, CVE-2024-9464, CVE-2024-9465 | Details, PoC1, PoC2
Mozilla Firefox and Firefox ESR | Unauthenticated Remote Attack | Use After Free Vulnerability | CVE-2024-9680 | Details
Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb | Unauthenticated Remote Attack | Format String Vulnerability | CVE-2024-23113 | Details
Windows RDP | Unauthenticated Remote Attack | Use After Free Vulnerability | CVE-2024-43582 | Details
PostgreSQL pgAdmin | Unauthenticated Remote Attack | Insufficiently Protected Credentials in OAuth2 Authentication | CVE-2024-9014 | Details, PoC
Calendar Week 40 2024
Cisco IOS XE | Unauthenticated Remote Attack | Improper Resource Management Vulnerability | CVE-2024-20467 | Details
OpenPrinting CUPS | Unauthenticated Remote Attack | Binding to an Unrestricted IP Address and Input Validation Vulnerabilities | CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177 | Details, PoC1, PoC2
Check Point Quantum Security Gateways | Unauthenticated Remote Attack | Information Disclosure Vulnerability | CVE-2024-24919 | Details, PoC
Synacor Zimbra Collaboration | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-45519 | Details, PoC
Broadcom VMware vCenter Server | Unauthenticated Remote Attack | Heap Overflow Vulnerability | CVE-2024-38812 | Details
Calendar Week 39 2024
OpenPrinting CUPS | Unauthenticated Remote Attack | Binding to an Unrestricted IP Address and Input Validation Vulnerabilities | CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177 | Details, PoC
Aruba Access Points | Unauthenticated Remote Attack | Command Injection Vulnerabilities | CVE-2024-42505, CVE-2024-42506, CVE-2024-42507 | Details
Cisco Smart Licensing Utility | Unauthenticated Remote Attack | Use of Hard-coded Credentials Vulnerability | CVE-2024-20439 | Details, PoC
MediaTek Wi-Fi Chipsets | Unauthenticated Remote Attack | Out-of-Bounds Write Vulnerability | CVE-2024-20017 | Details, PoC
Keycloak | Authenticated Remote Attack | Improper Signature Verification Vulnerability | CVE-2024-8698 | Details
Calendar Week 38 2024
Apache HugeGraph | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-27348 | Details, PoC
Ivanti Endpoint Manager | Unauthenticated Remote Attack | Improper Deserialization of Untrusted Data Vulnerability | CVE-2024-29847 | Details, PoC
Thinkphp | Unauthenticated Remote Attack | Improper Deserialization of Untrusted Data Vulnerability | CVE-2024-44902 | Details, PoC
Raisecom Gateway Devices | Unauthenticated Remote Attack | Command Injection Vulnerability | Details, PoC
Broadcom vCenter Server | Unauthenticated Remote Attack | Heap Overflow Vulnerability | Details
Calendar Week 37 2024
Kemp LoadMaster | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-1212 | Details, PoC
Qualitor ITSM | Unauthenticated Remote Attack | Arbitrary File Upload Vulnerability | CVE-2024-44849 | Details, PoC
Apache OFBiz | Unauthenticated Remote Attack | Server-Side Request Forgery Vulnerability | CVE-2024-45507 | Details, PoC
SonicWall SonicOS | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-40766 | Details
GitLab CE/EE | Authenticated Remote Attack | Pipeline Execution Vulnerability | CVE-2024-6678 | Details
Calendar Week 36 2024
Cisco Smart Licensing Utility | Unauthenticated Remote Attack | Sensitive Information in Log Files and Static Admin Credentials Vulnerabilities | CVE-2024-20439, CVE-2024-20440 | Details, PoC1, PoC2
Veeam Backup & Replication | Unauthenticated Remote Attack | Remote Code Execution Vulnerability | CVE-2024-40711 | Details
Ivanti Virtual Traffic Manager | Unauthenticated Remote Attack | Admin Authentication Bypass Vulnerability | CVE-2024-7593 | Details, PoC
Zyxel APs and Security Router Devices | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-7261 | Details
WhatsUp Gold | Unauthenticated Remote Attack | SQL Injection Vulnerability | CVE-2024-6670 | Details, PoC
Calendar Week 35 2024
Wordpress Litespeed Cache | Unauthenticated Remote Attack | Incorrect Privilege Assignment Vulnerability | CVE-2024-28000 | Details, PoC
AVTECH IP Cameras | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-7029 | Details, PoC
Apache OFBiz | Unauthenticated Remote Attack | Path Traversal and Incorrect Authorization Vulnerabilities | CVE-2024-32113, CVE-2024-38856 | Details, PoC1, PoC2
Google Chromium V8 | Unauthenticated Remote Attack | Confusion and Inappropriate Implementation Vulnerabilities | CVE-2024-5274, CVE-2024-7965 | Details, Details, PoC1
SonicWall SonicOS | Unauthenticated Remote Attack | Improper Access Control Vulnerability | CVE-2024-40766 | Details
Calendar Week 34 2024
GitHub Enterprise Server | Unauthenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-6800 | Details
Ingress Nginx Controller | Authenticated Remote Attack | Annotation Validation Bypass Vulnerability | CVE-2024-7646 | Details, PoC
ServiceNow | Unauthenticated Remote Attack | Input Validation and Incomplete List of Disallowed Inputs Vulnerabilities | CVE-2024-5217, CVE-2024-4879 | Details, PoC1, PoC2
Dahua IP Cameras, Video Intercom, NVR, XVR devices | Unauthenticated Remote Attack | Authentication Bypass Vulnerabilities | CVE-2021-33044, CVE-2021-33045 | Details, PoC
Apache HTTP Server | Unauthenticated Remote Attack | Substitution Encoding Vulnerabilities | CVE-2024-38474, CVE-2024-38475 | Details, PoC
Calendar Week 33 2024
TOTOLINK EX1800T and A3700R | Unauthenticated Remote Attack | Command Injection Vulnerabilities | CVE-2024-34257, CVE-2023-46574 | Details, PoC1, PoC2
Windows 10, 11, and Server | Unauthenticated Remote Attack | TCP/IP Buffer Overflow Vulnerability in IPv6 Stack | CVE-2024-38063 | Details, PoC
VMware ESXi | Authenticated Remote Attack | Authentication Bypass Vulnerability | CVE-2024-37085 | Details, PoC
SolarWinds Web Help Desk | Unauthenticated Remote Attack | Deserialization of Untrusted Data Vulnerability | CVE-2024-28986 | Details
Ivanti Virtual Traffic Manager | Unauthenticated Remote Attack | Admin Authentication Bypass Vulnerability | CVE-2024-7593 | Details
Calendar Week 33 2024
Cacti Network Monitoring and Fault Management Framework | Unauthenticated Remote Attack | Command Injection Vulnerability | CVE-2024-29895 | Details, PoC
Jenkins | Unauthenticated Remote Attack | Path Traversal Vulnerability | CVE-2024-43044 | Details, PoC
ServiceNow | Unauthenticated Remote Attack | Input Validation and Incomplete List of Disallowed Inputs Vulnerabilities | CVE-2024-5217, CVE-2024-4879 | Details, PoC1, PoC2
Progress WhatsUpGold | Unauthenticated Remote Attack | Improper Path Validation Vulnerability | CVE-2024-4885 | Details, PoC
Apache OFBiz | Unauthenticated Remote Attack | Path Traversal and Incorrect Authorization Vulnerabilities | CVE-2024-32113, CVE-2024-38856 | Details, PoC1, PoC2