NVD disclosure day

Published threat advisories for December 9, 2025

CVE advisoryKnown Exploit

CVE-2025-62221

Microsoft Windows Local Privilege Escalation Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in the Windows Cloud Files Mini Filter Driver allows local attackers to elevate privileges. This could impact system integrity and data security for organizations. The vulnerability is actively exploited, posing a realistic business risk.

NVD published: • CISA KEV
CVE advisoryKnown Exploit

CVE-2025-59718

Fortinet SSO Authentication Bypass Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A vulnerability in Fortinet products allows unauthorized access by bypassing SSO authentication. This impacts affected organizations by potentially exposing systems and data, creating business risk. Organizations should identify affected assets and apply vendor fixes.

NVD published: • CISA KEV
CVE advisoryCRITICAL

CVE-2025-12504

Talent Software UNIS SQL Injection Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL Injection vulnerability in Talent Software UNIS allows attackers to inject malicious commands into databases, potentially leading to unauthorized access or manipulation of sensitive information. This issue is reachable over a network. Confirming if UNIS is deployed is crucial.

NVD published:

CVE advisoryCRITICAL

CVE-2025-11022

Panilux CSRF Command Injection Vulnerability.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A Cross-Site Request Forgery vulnerability in Personal Project Panilux could allow attackers to inject commands if users interact with malicious content. The vendor has disclaimed ownership, leaving a clear path for remediation uncertain. The primary concern is to determine if this project is in use and potentially exp

NVD published: