This week’s roundup covers nine vulnerabilities, including six critical RCEs and one dangerous file upload. Affected platforms span cloud services, CI/CD pipelines, CMSs, and enterprise backup systems. Several are now addressed by updated WAF managed rulesets.

Key Findings

• Ingress-Nginx (CVE-2025-1098): Unauthenticated RCE via unsafe annotation handling. Impacts Kubernetes clusters.
• GitHub Actions (CVE-2025-30066): RCE through malicious workflow inputs. Targets CI/CD pipelines.
• Craft CMS (CVE-2025-32432): Template injection enables unauthenticated RCE. High risk to content-heavy sites.
• F5 BIG-IP (CVE-2025-31644): RCE via TMUI exploit, allowing full system compromise.
• AJ-Report (CVE-2024-15077): RCE through untrusted template execution. Affects reporting dashboards.
• NAKIVO Backup (CVE-2024-48248): RCE via insecure script injection. High-value target for ransomware.
• SAP NetWeaver (CVE-2025-31324): Dangerous file upload flaw enables remote shell deployment.
• Ivanti EPMM (CVE-2025-4428, 4427): Auth bypass allows full access to mobile device management.
• Vercel (CVE-2025-32421): Information leak via misconfigured APIs. Useful for attacker recon.

Impact

These vulnerabilities expose critical components across Kubernetes, CI/CD pipelines, and enterprise systems to severe threats including unauthenticated remote code execution, authentication bypass, and information leaks. High-impact flaws in Ingress-Nginx, Craft CMS, F5 BIG-IP, and NAKIVO Backup enable full system compromise, while SAP NetWeaver and AJ-Report allow remote shell deployment and template-based attacks. Ivanti EPMM’s auth bypass further risks...