slider

Netizen: June 2025 Vulnerability Review

Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from June that should be immediately patched or addressed if present in your environment. Detailed writeups below:


CVE-2024-54085

CVE-2024-54085 describes a critical authentication bypass vulnerability affecting American Megatrends International’s (AMI) SPx firmware, specifically within the Baseboard Management Controller (BMC). This flaw allows a remote attacker to bypass authentication mechanisms when interfacing through the Redfish Host Interface, enabling unauthorized access without user interaction or credentials. The vulnerability affects systems using AMI’s MegaRAC SPx firmware—commonly integrated into servers for out-of-band management—which magnifies its potential impact across enterprise environments and data centers.

The attack vector is particularly dangerous due to its placement at the firmware level. By abusing the Redfish API exposed by the BMC, an attacker can gain privileged access to critical server management functions. This includes the ability to issue power controls, flash firmware, or even wipe or reconfigure the host system remotely. Exploiting this interface requires no local access, no authentication, and no user interaction—only network reachability. As a result, the vulnerability poses a direct threat to the confidentiality, integrity, and availability of affected systems.

Reports published in June 2025 indicate that this flaw is being actively exploited in the wild. Attackers have used it to deploy destructive malware capable of bricking servers or persisting stealthily within BMC firmware. According to CISA and Eclypsium, exploitation campaigns have targeted thousands of vulnerable devices globally, and widespread scanning for exposed Redfish interfaces has been observed.

The vulnerability was officially assigned CVE-2024-54085 and carries maximum severity scores across CVSS v2 (10.0), v3.1 (9.8), and v4.0 (10.0), underscoring the total system compromise potential. Organizations with exposed or internet-facing BMC interfaces—especially those running outdated AMI SPx firmware—should prioritize patching and segmenting their management networks. Updates and mitigation guidance have been made available through vendors such as NetApp and advisories from national cybersecurity agencies. Given the nature of the vulnerability, immediate action is required to prevent exploitation and irreversible damage to critical infrastructure.


CVE-2025-6543

CVE-2025-6543, widely dubbed “Citrix Bleed 2,” is a critical memory overflow vulnerability affecting NetScaler ADC and NetScaler Gateway appliances. The flaw emerges when these appliances are configured in Gateway mode—specifically as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server. When exploited, it leads to unintended control flow and Denial of Service (DoS), allowing an unauthenticated attacker to crash affected services or cause unpredictable behavior.

This vulnerability was confirmed to be exploited as a zero-day prior to public disclosure. Its addition to CISA’s Known Exploited Vulnerabilities catalog and the subsequent emergency advisories from vendors and government agencies signal that threat actors moved quickly to abuse the flaw in the wild. Reports from June 2025 document the use of this bug in denial-of-service attacks targeting enterprise gateway infrastructure. The potential for remote exploitation without prior authentication makes it particularly attractive for both disruption campaigns and access footholds, depending on how it’s chained with other weaknesses.

While the CVSS v2 score appears moderate at 5.0 due to limited immediate impact on confidentiality and integrity, the CVSS v3 score is 7.5 and the CVSS v4 score reaches 9.2—highlighting how newer scoring systems better reflect real-world risks associated with denial-of-service on critical edge infrastructure. The low CVSSv2 score fails to capture the severity of an attack that can render VPN and remote access services unusable during business hours, or which could serve as a stepping stone in more complex intrusion paths.

Administrators running affected Citrix NetScaler versions are strongly urged to apply the emergency patches issued by Citrix and verify that public-facing services are not vulnerable. Beyond patching, affected organizations should review VPN and gateway logs for signs of repeated crashes or traffic anomalies beginning in mid-June 2025, which may indicate early-stage exploitation attempts or reconnaissance.


CVE-2024-0769

CVE-2024-0769 describes a critical path traversal vulnerability discovered in D-Link’s DIR-859 wireless router, version 1.06B01. The flaw lies in the HTTP POST request handler at the endpoint /hedwig.cgi, where the service parameter can be manipulated to perform directory traversal. By passing crafted input such as ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml, an unauthenticated remote attacker can access configuration files not intended to be publicly exposed, leading to unauthorized disclosure of sensitive system information.

The issue stems from a failure to properly sanitize input within the POST request handler. This allows external actors to bypass expected restrictions and reach arbitrary files within the router’s internal file system. The attacker does not require any special privileges or user interaction to exploit this flaw, and the attack can be conducted entirely over the network. Proof-of-concept code was made public and has been observed in use, suggesting this is an active risk for any remaining DIR-859 units still online.

This vulnerability is especially concerning due to the fact that the DIR-859 has reached end-of-life status. D-Link confirmed the device is no longer supported, meaning no firmware updates or patches will be released. As such, affected systems will remain perpetually vulnerable. Despite the CVSS v2 score being reported as only 5.0—likely due to its limited immediate impact on availability or integrity—the CVSS v3.1 score of 9.8 accurately reflects the true risk, as the flaw enables full remote file disclosure and potentially facilitates follow-on attacks.

The issue was published in January 2024 but updated in June 2025 after further analysis and public exploit activity. Due to its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog and a high EPSS probability of exploitation, it is strongly recommended that users immediately decommission any exposed DIR-859 units. Replacement with actively supported hardware and isolation of outdated equipment from public networks should be prioritized to prevent compromise.


CVE-2019-6693

CVE-2019-6693 describes a cryptographic weakness present in certain versions of Fortinet’s FortiOS operating system, which is used across a variety of the company’s security appliances. The flaw results from the use of a hard-coded cryptographic key to encrypt sensitive information in configuration backup files. An attacker who obtains such a backup—either through access to a compromised system or a leaked file—could decrypt portions of the content without needing to brute force or guess passwords, since the cipher key is static and known.

The exposed information includes user account passwords (excluding the administrator password), passphrases used to protect private keys, and any High Availability (HA) configuration passwords, if set. Because the administrator password is exempt, the immediate risk of full system takeover from decrypting the file is somewhat reduced; however, the remaining credentials may still allow lateral movement, access to protected services, or reconstruction of internal secrets—especially in environments with poor account segmentation or where users share credentials across systems.

Although this vulnerability was originally published in 2019, it was added to CISA’s Known Exploited Vulnerabilities catalog in June 2025, indicating that it remains a viable attack vector in real-world scenarios. The renewed interest likely stems from threat actors targeting backup files exfiltrated through other means, then decoding them using the now-public encryption key. The CVSS v3.1 score of 6.5 reflects the fact that the issue requires prior access to the backup file and does not permit direct execution or privilege escalation on its own.

Nonetheless, organizations that maintain FortiOS appliances should audit their backup file storage and transfer mechanisms, implement encrypted transport layers and secure storage practices, and ensure they are not relying on outdated backup formats. Wherever possible, administrators should move to newer versions of FortiOS that remediate this flaw and remove reliance on insecure static key usage in cryptographic processes.


CVE-2025-5419

CVE-2025-5419 describes a high-severity vulnerability in the V8 JavaScript engine used by Google Chrome, prior to version 137.0.7151.68. The flaw stems from an out-of-bounds read and write condition that can be triggered through a crafted HTML page, potentially leading to heap corruption. This kind of memory error allows attackers to manipulate the memory layout of the running process, which can result in remote code execution under the context of the browser.

The vulnerability is notable for its low attack complexity and lack of user privileges required to exploit it. While user interaction is necessary (typically in the form of visiting a malicious web page), once triggered, the flaw can allow attackers to execute arbitrary code, access sensitive information, or crash the browser. It is particularly dangerous in targeted phishing or watering hole campaigns where crafted JavaScript payloads are embedded in compromised or maliciously hosted sites.

The CVSS v3 score of 8.8 reflects the severity of the potential impact on confidentiality, integrity, and availability, despite requiring user interaction. The older CVSS v2 system rates this flaw at a full 10.0, capturing the remote exploitation potential with no authentication needed. This disparity highlights the limitations of scoring systems when evaluating browser-based exploitation chains involving memory corruption.

This vulnerability was confirmed to have been exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities catalog in June 2025. It is part of an ongoing pattern of attackers targeting the V8 engine, often chaining JavaScript engine flaws with sandbox escapes or privilege escalation vulnerabilities to compromise host systems. Organizations using Google Chrome in sensitive environments should prioritize updates to patched versions and consider implementing browser isolation or application sandboxing to reduce the risk from future JavaScript engine vulnerabilities.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

https://www.netizen.net/contact