CISA has mandated that U.S. government agencies patch a serious remote code execution vulnerability in Gogs, identified as CVE-2025-8110. This flaw, stemming from a path traversal issue, allows attackers to overwrite files outside the repository and execute arbitrary commands. Over 1,400 Gogs servers remain exposed, with a second wave of attacks observed recently.

Ransomware gangs are actively exploiting the VMware ESXi flaw CVE-2025-22225, which allows attackers to escape the VMX sandbox. Researchers found evidence of a toolkit used in these attacks, indicating that the vulnerabilities were known to the threat actors long before their public disclosure. CISA has confirmed the flaw's involvement in ongoing ransomware incidents.

TP-Link has acknowledged a zero-day vulnerability affecting multiple router models, which allows for remote code execution due to a stack-based buffer overflow in its CWMP implementation. While a patch is available for European models, users are advised to change default passwords and disable CWMP if not needed until more fixes are released. Additionally, CISA has warned about previously exploited vulnerabilities in TP-Link routers that have been used by threat actors for malicious activities.

Over 800 N-able N-central servers remain unpatched against two critical vulnerabilities, CVE-2025-8875 and CVE-2025-8876, which are currently being exploited. N-able has urged administrators to upgrade to the patched version 2025.3.1, while CISA has mandated federal agencies to mitigate these vulnerabilities within a week. Shadowserver Foundation reports that most of the vulnerable servers are located in the U.S., Canada, and the Netherlands.

Two new vulnerabilities in Linux have been disclosed that can be exploited together to gain full root access. Additionally, CISA has warned of active exploitation of an older vulnerability affecting the Linux kernel, emphasizing the need for organizations to apply patches immediately.