[Vulnerability Alert] CISA Adds Four Exploited Vulnerabilities to the KEV Catalog (2025/05/05

[Vulnerability Alert] CISA Adds Four Exploited Vulnerabilities to the KEV Catalog (2025/05/05 – 2025/05/11)

publish date : 2025-05-20 update date : 2025-05-20

Source: Ministry of education information & communication security contingency platform


ublication Number	TACERT-ANA-2025051203051111	Publication Time	2025/05/12 15:05
Incident Type	ANA-Vulnerability Alert	Discovery Time	2025/05/12 15:05
Impact Level	Low
[Subject] [Vulnerability Alert] CISA Adds Four Exploited Vulnerabilities to the KEV Catalog (2025/05/05 – 2025/05/11)
[Content] Forwarded from TWCERTCC-200-202505-00000008 [CVE-2025-3248] Langflow Missing Authentication Vulnerability (CVSS v3.1: 9.8) [Ransomware Exploitation: Unknown] A missing-authentication vulnerability exists in Langflow at the /api/v1/validate/code endpoint, allowing remote unauthenticated attackers to execute arbitrary code via crafted HTTP requests. [Affected Platforms] Langflow versions prior to and including 1.2.0 [CVE-2025-27363] FreeType Out-of-Bounds Write Vulnerability (CVSS v3.1: 8.1) [Ransomware Exploitation: Unknown] An out-of-bounds write vulnerability exists in FreeType when parsing sub-glyph structures related to TrueType GX and variable font files, potentially leading to arbitrary code execution. [Affected Platforms] FreeType versions prior to and including 2.13.0 [CVE-2024-11120] GeoVision Devices OS Command Injection Vulnerability (CVSS v3.1: 9.8) [Ransomware Exploitation: Unknown] Multiple GeoVision devices contain an OS command-injection vulnerability that enables remote unauthenticated attackers to inject and execute arbitrary system commands. [Affected Platforms] GV-VS12, GV-VS11, GV-DSP_LPR_V3, GVLX 4 V2, GVLX 4 V3 [CVE-2024-6047] GeoVision Devices OS Command Injection Vulnerability (CVSS v3.1: 9.8) [Ransomware Exploitation: Unknown] Multiple GeoVision devices contain an OS command-injection vulnerability that enables remote unauthenticated attackers to inject and execute arbitrary system commands. [Affected Platforms] GV_DSP_LPR_V2, GV_IPCAMD_GV_BX130, GV_IPCAMD_GV_BX1500, GV_IPCAMD_GV_CB220, GV_IPCAMD_GV_EBL1100, GV_IPCAMD_GV_EFD1100, GV_IPCAMD_GV_FD2410, GV_IPCAMD_GV_FD3400, GV_IPCAMD_GV_FE3401, GV_IPCAMD_GV_FE420, GV_GM8186_VS14, GV-VS14_VS14, GV_VS03, GV_VS2410, GV_VS28XX, GV_VS216XX, GV VS04A, GV VS04H, GVLX 4 V2, GVLX 4 V3 Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform] See the “Affected Platforms” sections in the content description above.
[Recommended Actions] [CVE-2025-3248] Upgrade the affected product to Langflow 1.3.0 or later. [CVE-2025-27363] Upgrade the affected product to FreeType 2.13.1 or later. [CVE-2024-11120] The affected products may have reached End of Life (EoL) or End of Service (EoS). Users are advised to discontinue use of these products. [CVE-2024-6047] The affected products may have reached End of Life (EoL) or End of Service (EoS). Users are advised to discontinue use of these products.
[Reference]

(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw

Organizer: Computer Center