Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CVE-2025-55752 is a path traversal vulnerability in Apache Tomcat. It comes from a regression introduced during a past bug fix. Because of this flaw, Tomcat normalizes URLs before decoding them, which lets attackers craft requests that bypass access controls and reach restricted directories like /WEB-INF/ and /META-INF/. In deployments where HTTP PUT is enabled, an attacker could upload files through this path and potentially gain remote code execution (RCE).

If popular TV and movies are to be believed, hackers break into organizations from dark rooms using flashy zero-day exploits (complete with some sort of showy animation), all while techno music blares in the background, culminating in the oh-so-cool announce of “I’m in!” This… is not reality. The unglamorous truth is that breaches usually stem from a series of small mistakes in unremarkable things: A system that was overlooked when implementing a new policy.

A high-severity vulnerability (CVSS 9.9) has been disclosed in the VPN web server component of Cisco Secure Firewall ASA and FTD software. An authenticated attacker (i.e. one possessing valid VPN credentials) can send specially crafted HTTP(S) requests that bypass input validation and lead to remote code execution as root. This means full device compromise is possible.

Modern enterprises run not only web apps and databases, but also AI agents and tooling servers. MCP (Model Context Protocol) is an interface pattern that exposes tools-functions the agent can call, such as a browser driver, accessibility checker, or script generator. One of the most powerful tools we found exposed was the ability to trigger a browsing task-likely driven by Selenium, Playwright or similar.

A new critical vulnerability, CVE-2025-10035, has been disclosed in Fortra’s GoAnywhere MFT, a widely used managed file transfer solution. The flaw lies in the License Servlet and allows unauthenticated attackers to achieve remote code execution (RCE) through crafted license responses. The vendor has rated this vulnerability as Critical (CVSS 10.0) due to its potential for complete system compromise over the network.

The AI revolution is moving at breakneck speed. Every week, new tools, frameworks, and integrations hit the market. Developers eager to harness the power of large language models and automation platforms are spinning up assets with little thought to long-term security. The result is a wave of exposed services — chatbots, APIs, orchestration tools, and workflow systems — that anyone on the internet can stumble upon. Attackers see this as an open invitation.

The IONIX research team is tracking CVE-2025-42944, an insecure deserialization vulnerability affecting SAP NetWeaver AS Java’s RMI-P4 module—a critical issue warranting immediate attention.

In our day-to-day work and conversations with security experts, one concern comes up regularly: how consistent is our WAF protection? Our answer is always the same: not as much as you think. The truth is that in the case of enterprises, web application firewall (WAF) coverage is rarely uniform. Protection is often a mixed bag of products from different vendors, managed by separate teams, each guarding only part of the attack surface.

A critical Server-Side Request Forgery (SSRF) vulnerability—CVE-2025-8085—has been discovered in the popular WordPress plugin “Ditty (News Ticker & Display Items)” for versions prior to 3.1.58. The issue resides in the displayItems REST API endpoint (wp-json/dittyeditor/v1/displayItems), which lacks authentication and authorization, allowing unauthenticated attackers to force the server to fetch arbitrary URLs—internal or external—via crafted JSON payloads.

In today’s digital landscape, web application security is more critical than ever. Most organizations rely on Cloud-Based Security Providers offering integrated Web Application Firewalls (WAFs) and Content Delivery Networks (CDNs), for shielding their assets from direct exposure and attacks such as SQL injection, XSS, and DDoS.