vFeed Newsletter June 2025
vFeed Inc.
Welcome to vFeed June 2025 edition of Cybersecurity and Vulnerability Newsletter
June continued to present a significant challenge to security professionals and vulnerability analysts. We saw a continued increase in the published vulnerabilities of about 3,214 this month, and relatively staying around since April. vFeed has currently seen about 16,933 vulnerabilities published so far in 2025 alone, well on track to be one of the highest in recent years. We also observed several older vulnerabilities being exploited, especially on privilege escalation and remote code execution attacks. Among the published vulnerabilities in June, the number of critical vulnerabilities – those with a critical score of 9.0 or higher – rose significantly sharper to 559 compared to 187 in March and 129 in February, several of them with a perfect 10 score. vFeed threat intel has incorporated CVSS4 risk scoring metrics to our feed, and so far we captured 3,393 risk scores in 2025 alone, the largest we have seen so far. Particularly, 64 vulnerabilities had exploitability percentile greater than 70% indicating that those are likely exploited in the next month.
A majority of these high score vulnerabilities exploit Remote Code Execution (RCE) weakness, dominated by high-severity issues affecting mail systems, orchestration tools, industrial software, and Microsoft WebDAV. These included CVE‑2025‑49113 (Roundcube Webmail), CVE‑2025‑49619 (Skyvern), CVE‑2025‑33053 (Microsoft WebDAV), CVE‑2025‑49132 (Pterodactyl Panel), CVE‑2025‑5086 (DELMIA Apriso). Others included Denial of Service Overflow, Cross‑Site Scripting, and Command Injection attacks.
In June, Windows & Microsoft Ecosystem addressed 44 Windows, 24 ESU, and 18 Office vulnerabilities in a recent June patch — the highest concentration on one operating system seen so far. Among them RCE comprised around 38% of all Microsoft June patches (approx. 25 RCE CVEs), followed by info disclosure (26%) and privilege escalation (20%). Adobe’s bulletins covered 254 vulnerabilities disclosed across Acrobat Reader, InCopy, InDesign, Experience Manager, Substance 3D Sampler, and Substance 3D Painter. PHP-based Web Apps that utilized Campcodes, and WordPress plugins typically utilized SQL injection, XSS exploits in many of these.
On wordpress, vFeed identified about 13 critical vulnerabilities disclosed in several popular WordPress plugins and themes, exposing severe risks to site integrity and user data. These flaws primarily affect authentication and authorization components. Some of these included Simple Payment plugin admin bypass (CVE‑2025‑6688), PT Project Notebooks plugin over admin-privilege escalation (CVE‑2025‑5304), HyperComments plugin (CVE‑2025‑5701), WP Email Debug plugin (CVE‑2025‑5486), REST API Generator plugin (CVE‑2025‑5288). Vulnerability analysts should consider remediating these at the earliest, as they pose a high risk of site compromises underscoring the need for stricter capability checks and secure session handling.
Critical Exploitable Vulnerabilities
Pay attention to these top critical vulnerabilities that are likely exploitable this month.
| CVE | Description | CVSS 3 Base | EPSS Percentile | Date Published | Weakness | Versions Affected | References |
| CVE-2025-49113 | Roundcube Webmail allow RCE leading to PHP Object Deserialization | 9.9 | 98.86 | 2025-06-02 | CWE-502 (Deserialization of Untrusted Data) | <= 1.5.10 | https://fearsoff.org/research/roundcube |
| CVE-2025-49619 | Skyvern vulnerable to server-side template injection leading to RCE | 8.5 | 96.54% | 2025-06-07 | CWE-1336 (Improper Neutralization of Special Elements) | <= 0.1.85 | https://cristibtz.github.io/posts/CVE-2025-49619 |
| CVE-2025-33053 | External control of file name or path in Microsoft Internet Shortcut Files allows an unauthorized attacker to execute code over a network. | 8.8 | 96.43% | 2025-06-10 | CWE-73 (External Control of File Name or Path) | versions 10.0.* Windows Server 2008/R2, 2012/R2 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053 |
| CVE-2025-49132 | Pterodactyl Panel via unauthenticated access to /locales/locale.json leading to critical RCE | 10.0 | 95.71% | 2025-06-20 | CWE-94 (Improper Control of Generation of Code) | < 1.11.11 | https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843 |
| CVE-2025-5086 | DELMIA Apriso deserialization of untrusted data affecting leading to RCE | 9.0 | 95.0% | 2025-06-02 | CWE-502 (Deserialization of Untrusted Data) | 2020-2025 | https://www.3ds.com/vulnerability/advisories |
May you live in interesting times! 🙂
Click here to schedule your demo with vFeed Threat Intel today!