CVE-2025-2605
published 2025-05-02CVE-2025-2605: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
9.41%
94.8th percentile
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from V11.04 before V12.53 and MB-Secure PRO from V01.06 before V03.09.Honeywell also recommends updating to the most recent version of this product.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| honeywell | mb-secure | >= V11.04 < V12.53 | V12.53 |
| honeywell | mb-secure_firmware | >= 11.04 < 12.53 | 12.53 |
| honeywell | mb-secure_pro_firmware | >= 01.06 < 03.09 | 03.09 |
| msrc | azl3_mozjs_102.15.1-1_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ImageMagick has XMP profile write that triggers hang due to unbounded loop
ghsa·2025-07-23
CVE-2025-53015 [HIGH] CWE-835 ImageMagick has XMP profile write that triggers hang due to unbounded loop
ImageMagick has XMP profile write that triggers hang due to unbounded loop
### Summary
Infinite lines occur when writing during a specific XMP file conversion command
### Details
```
#0 GetXmpNumeratorAndDenominator (denominator=, numerator=, value=) at MagickCore/profile.c:2578
#1 GetXmpNumeratorAndDenominator (denominator=, numerator=, value=720000000000000) at MagickCore/profile.c:2564
#2 SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605
#3 0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651
#4 0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288
#5 0x
GHSA
GHSA-4p7f-6rw5-m5v7: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse
ghsa_unreviewed·2025-05-02
CVE-2025-2605 [CRITICAL] CWE-78 GHSA-4p7f-6rw5-m5v7: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from V11.04 before V12.53 and MB-Secure PRO from V01.06 before V03.09.Honeywell also recommends updating to the most recent version of this product.
Microsoft
An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. *Note:* This issue only affected Windows operating systems. Other operating system
vendor_msrc·2024-03-12·CVSS 5.9
CVE-2024-2605 [MEDIUM] An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. *Note:* This issue only affected Windows operating systems. Other operating system
An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additio
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-02
Published