Security

We’re excited to announce the release of Vulnerability-Lookup 2.11.0 — and it comes with a major milestone for decentralized vulnerability publication!

What's New

GCVE-BCP-03 - Decentralized Publication Standard

The GCVE BCP-03 Decentralized Publication Standard has now been implemented for the first time.

This standard enables GCVE Numbering Authority (GNA) organizations to publish their vulnerability information directly—without relying on a centralized system.

As a first step, version 2.10.0 of Vulnerability-Lookup introduced support for maintaining a local copy of the GCVE registry. With the latest release, it's now possible to synchronize the list of local organizations in a Vulnerability-Lookup instance with this local GCVE registry.

This new capability provides a simple way to maintain an up-to-date list of GNA organizations in any Vulnerability-Lookup deployment.

Administrators can then choose which advisories, published by these GNA organizations, they want to import into their instance. This is possible thanks to a new feeder. (151)

Security Advisories from the Local Vulnerability-Lookup Instance (gna-65535.private.circl.lu)

This view displays advisories published on the current local instance.

Security Advisories from GNA-1 Retrieved in the Local Vulnerability-Lookup Instance (gna-65535.private.circl.lu)

This view shows advisories retrieved from a remote GNA instance (GNA-1) using the new feeder system.

Security Advisories from GNA-1 Retrieved in the Local Vulnerability-Lookup Instance (vulnerability.circl.lu)

This screenshot displays the same advisory as in the previous example, but as seen on its originating instance.

Dashboard

The dashboard where administrators manage the local GCVE registry.

Organization Management

This section allows the management of both GNA and non-GNA organizations.

Editing an Organization

Editing details for a specific organization.

The distributed GCVE network

Changes

• Added pagination in the API to the endpoint which list EMB3D objects. (a669461)
• Vendor and Product management in vulnerability-lookup (#105)
• Improvements to the view of recent vulnerabilities. The navigation menu is now automatically updated based on the list of GNAs the local instance is subscribed to.
• Various improvements to the admin dashboard.
• Various improvements to the documentation.

Fixes

• Multiple comments share same UUID (#158)
• GCVE data/feed is missing (#155)
• Dockerfile change by P-T-I (#153)
• Fixes to installation instructions by jeroenh (#154)
• doc fix by jeroenh (#156)
• Small fixes on containers by claudex (#157)
• Fixed a test in the disculosure.html template. The description of approved diclosures was never displayed. (1ec3e55)

Changelog

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.11.0

Feedback and Support

If you encounter issues or have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Follow us on Fediverse/Mastodon

You can follow us on Mastodon and get real time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

LOL

You can now follow the Vulnerability-Lookup Discourse topic on Mastodon: @[email protected]

https://discourse.ossbase.org/c/vulnerability-lookup-org/6

#Mastodon #Discourse #ActivityPub #VulnerabilityLookup

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for May 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation's honeypot network.

Top 10 vulnerabilities of the month

Evolution for the top 5 vulnerabilities

• CVE-2025-31324 - SAP / SAP NetWeaver (Visual Composer development server)
• CVE-2025-4427 - Ivanti / Endpoint Manager Mobile
• CVE-2025-37899 - Linux / Linux
• CVE-2025-4428 - Ivanti / Endpoint Manager Mobile
• CVE-2025-32756 - Fortinet / FortiVoice

Insights from contributors

CVE-2025-22252: Authentication Vulnerability in FortiOS, FortiProxy, and FortiSwitchManager leads to Unauthenticated Admin Access
CVE-2025-22252 is a missing authentication for critical function vulnerability in devices configured to use a remote TACACS+ server for authentication configured to use ASCII authentication. It may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass, potentially resulting in complete system compromise, data theft and service disruption.

CVE-2025-30663: Additional information
In its security release of 13 May 2025, Zoom addressed two vulnerabilities that could be exploited for privilege escalation: • CVE-2025-30663, a time-of-check time-of-use race condition affecting some Zoom Workplace Apps. If successfully exploited, an authenticated user could conduct an escalation of privilege via local access. • CVE-2025-30664 is an improper neutralization of special elements flaw affecting some Zoom Workplace Apps. Successful exploitation could allow an authenticated user to conduct an escalation of privilege via local access.

CVE-2025-41229: More information
The vulnerabilities could be used by attackers to gain access to services and data. They can also be used to execute arbitrary commands and cause a denial of service. Confidentiality, integrity and availability are all impacted. The only solution is to upgrade immediately.

2025-27920: Additional information
Microsoft discovered critical vulnerability CVE-2025-27920 affecting the messaging application Output Messenger. Microsoft additionally observed exploitation of the vulnerability since April 2024. According to Microsoft, the attacker needs to be authenticated, although the Output Messenger advisory indicates that privileges are not required to exploit the vulnerability. An attacker could upload malicious files into the server’s startup directory by exploiting this directory traversal vulnerability. This allows an attacker to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, possibly leading to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.

Continuous exploitation

• CVE-2023-0656 - SonicWall / SonicOS (not in CISA KEV)
• CVE-2022-26134 - Atlassian / Confluence Data Center
• CVE-2019-1653 - Cisco / Cisco Small Business RV Series Router Firmware

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

This project implements a FastAPI-based local server designed to load one or more pre-trained NLP models during startup and expose them through a clean, RESTful API for inference.

For example, it leverages the Hugging Face transformers library to load the CIRCL/vulnerability-severity-classification-distilbert-base-uncased model, which specializes in classifying vulnerability descriptions according to their severity level. The server initializes this model once at startup, ensuring minimal latency during inference requests.

Clients interact with the server via dedicated HTTP endpoints corresponding to each loaded model. Additionally, the server automatically generates comprehensive OpenAPI documentation that details the available endpoints, their expected input formats, and sample responses—making it easy to explore and integrate the services.

The ultimate goal is to enrich vulnerability data descriptions through the application of a suite of NLP models, providing direct benefits to Vulnerability-Lookup and supporting other related projects.

Systems

• Linux
• Unix
• MacOS X

Today we released Vulnerability-Lookup 2.9.0 with new features, enhancements, and bug fixes.

What's New

Adversarial Techniques from MITRE EMB3D

The Adversarial Techniques from MITRE EMB3D are now integrated into Vulnerability-Lookup as a new source and are correlated with existing security advisories.

This feature was contributed by Piotr Kaminski during the last Hack.lu hackathon. (#129)

Global CVE Allocation System (GCVE)

GCVE identifiers are now supported in HTML templates and URL parameters,
thanks to the GCVE Python client.
These identifiers can now be used when disclosing a new vulnerability as part of the Coordinated Vulnerability Disclosure (CVD) process, in alignment with NIS 2 requirements. (8bb3d84, 58c394a)

Trustworthy Level for Members

Members of a Vulnerability-Lookup instance now have a dynamically calculated
trustworthy level based on profile completeness and verification.
Members affiliated with FIRST.org or European CSIRTs (CNW) are automatically
trusted for operations that would otherwise require administrator approval
(e.g., creating comments).

Changes

• New API endpoint for MITRE EMB3D. (c0d6b44)
• Improved the vulnerability disclosure page. (ccfb6b1)
• Added page arguments to the vulnerability/last endpoint. (ce75a7a)
• Notification emails now include a random signoff. (#119)
• Various graphical enhancements. (0878a31)

Fixes

• Fixed editing of notifications for Organization/Product. (#124)

Changelog

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.9.0

🚨 April 2025 Vulnerability Report is out! 🚨

👉 https://www.vulnerability-lookup.org/2025/05/01/vulnerability-report-april-2025/

The most prominent vulnerabilities affect the following products:

• Ivanti / ConnectSecure
• Erlang / OTP
• SAP / SAP NetWeaver

The Continuous Exploitation section highlights several resurgent vulnerabilities (recently exploited at a high rate), including:

• CVE-2017-17215 (Huawei router)
• CVE-2015-2051 (D-Link)

Check out the report for more details.

A huge thank you to all contributors and data sources that make this possible! 🙌

Want to help shape the next report? Join us: 👉 https://vulnerability.circl.lu/user/signup

💻 NISDUC Conference

Vulnerability-Lookup will be presented during the fourth NISDUC conference.

👉 https://www.nisduc.eu/

The Global CVE (GCVE) allocation system is a new, decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.

This client can be integrated into software such as Vulnerability-Lookup to provide core GCVE functionalities by adhering to the Best Current Practices.
It can also be used as a standalone command-line tool.

Examples of usage

As a command line tool

First install the gcve client:

$ python -m pip install --user pipx
$ python -m pipx ensurepath

$ pipx install gcve
  installed package gcve 0.6.0, installed using Python 3.13.0
  These apps are now globally available
    - gcve
done! ✨ 🌟 ✨

Pulling the registry locally

$ gcve registry --pull
Pulling from registry...
Downloaded updated https://gcve.eu/dist/key/public.pem to data/public.pem
Downloaded updated https://gcve.eu/dist/gcve.json.sigsha512 to data/gcve.json.sigsha512
Downloaded updated https://gcve.eu/dist/gcve.json to data/gcve.json
Integrity check passed successfully.

Retrieving a GNA

Note: This operation is case sensitive.

$ gcve registry --get CIRCL
{
  "id": 1,
  "short_name": "CIRCL",
  "cpe_vendor_name": "circl",
  "full_name": "Computer Incident Response Center Luxembourg",
  "gcve_url": "https://vulnerability.circl.lu/",
  "gcve_api": "https://vulnerability.circl.lu/api/",
  "gcve_dump": "https://vulnerability.circl.lu/dumps/",
  "gcve_allocation": "https://vulnerability.circl.lu/",
  "gcve_sync_api": "https://vulnerability.circl.lu/"
}

$ gcve registry --get CIRCL | jq .id
1

Searching the Registry

Note: Search operations are case insensitive.

$ gcve registry --find cert
[
  {
    "id": 680,
    "short_name": "DFN-CERT",
    "full_name": "DFN-CERT Services GmbH",
    "gcve_url": "https://adv-archiv.dfn-cert.de/"
  }
]

More information in the Git repository.

The Global CVE (GCVE) allocation system is a new, decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.

While remaining compatible with the traditional CVE system, GCVE introduces GCVE Numbering Authorities (GNAs). GNAs are independent entities that can allocate identifiers without relying on a centralised block distribution system or rigid policy enforcement.

cross-posted from: https://lemmy.ml/post/28680239