Vulnerability Summary for the Week of November 24, 2025

High Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source Info	Patch Info
0x4m4–HexStrike AI	By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025).	2025-11-30	9.1	CVE-2025-35028	https://takeonme.org/gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011
AMD–AMD Prof	Improper return value within AMD uProf can allow a local attacker to bypass KSLR, potentially resulting in loss of confidentiality or availability.	2025-11-24	7.1	CVE-2025-48510	https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html
AMD–Xilinx Run Time (XRT)	Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in loss of confidentiality or ava […] Content was cut in order to protect the source.Please visit the source for the rest of the article. This article has been indexed from Bulletins Read the original article: Vulnerability Summary for the Week of November 24, 2025 Share this: Facebook X LinkedIn Like this: Like Loading... Related Tags: Bulletins EN Post navigation ← Malware Manipulates AI Detection in Latest npm Package Breach New Albiriox Android Malware Developed by Russian Cybercriminals → Search for: Pages Advertising Contact Legal and Contact information Opt-out preferences Privacy Policy Social Media Apps Telegram Channel Recent Posts Arkanix Stealer: Newly discovered short term profit malware December 1, 2025 New Android malware lets criminals control your phone and drain your bank account December 1, 2025 $29 Million Worth of Bitcoin Seized in Cryptomixer Takedown December 1, 2025 Facial Recognition’s Trust Problem December 1, 2025 South Korea’s Coupang Confirms 34 Million Customer Data Leak December 1, 2025 European police dismantle cryptocurrency mixer that laundered $1.5 billion for ransomware gangs, other criminals December 1, 2025 AI Ethics in Action: How We Ensure Fairness, Bias Mitigation, and Explainability December 1, 2025 Global Futures Reopen After CME Suffers Data Center Cooling Failure December 1, 2025 AI Emotional Monitoring in the Workplace Raises New Privacy and Ethical Concerns December 1, 2025 Streaming Platforms Face AI Music Detection Crisis December 1, 2025 CrowdStrike Fires Insider Who Leaked Internal Screenshots to Hacker Groups, Says no Customer Data was Breached December 1, 2025 Tomiris Hacker Group Added New Tools and Techniques to Attack Organizations Globally December 1, 2025 Microsoft Azure API Management Flaw Enables Cross-Tenant Account Creation, Bypassing Admin Restrictions December 1, 2025 Dutch study finds teen cybercrime is mostly just a phase December 1, 2025 New Albiriox Android Malware Developed by Russian Cybercriminals December 1, 2025 Vulnerability Summary for the Week of November 24, 2025 December 1, 2025 Malware Manipulates AI Detection in Latest npm Package Breach December 1, 2025 Building Distributed Apps? Akamai and Fermyon are Changing the Game December 1, 2025 What a Secure Setup Really Looks Like for Storing Digital Assets December 1, 2025 Building a Production-Ready MCP Server in Python December 1, 2025 Copyright © 2025 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com. Manage Consent To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions. Functional Functional Always active The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. Preferences Preferences The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. Statistics Statistics The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you. Marketing Marketing The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. Manage options Manage services Manage {vendor_count} vendors Read more about these purposes View preferences {title} {title} {title}

Primary
Vendor — Product

Description

Published

CVSS Score

Source Info

Patch Info

0x4m4–HexStrike AI

By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025).

2025-11-30

9.1

CVE-2025-35028

https://takeonme.org/gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011

AMD–AMD Prof

Improper return value within AMD uProf can allow a local attacker to bypass KSLR, potentially resulting in loss of confidentiality or availability.

2025-11-24

7.1

CVE-2025-48510

https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html

AMD–Xilinx Run Time (XRT)

Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in loss of confidentiality or ava

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Bulletins

Read the original article:

Vulnerability Summary for the Week of November 24, 2025

← Malware Manipulates AI Detection in Latest npm Package Breach

New Albiriox Android Malware Developed by Russian Cybercriminals →

High Vulnerabilities

Read the original article:

Share this:

Like this:

Related

Post navigation