Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-24314
Publication date:
11/11/2025
Improper access control for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Severity CVSS v4.0: LOW
Last modification:
12/11/2025

CVE-2025-20050
Publication date:
11/11/2025
Uncontrolled search path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-20056
Publication date:
11/11/2025
Improper input validation for some Intel VTune Profiler before version 2025.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-20065
Publication date:
11/11/2025
Uncontrolled search path for some Display Virtualization for Windows OS software before version 1797 within Ring 2: Device Drivers may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-20614
Publication date:
11/11/2025
External control of file name or path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-20622
Publication date:
11/11/2025
Sensitive information uncleared in resource before release for reuse for some Intel(R) NPU Drivers for Windows before version 32.0.100.4023 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Severity CVSS v4.0: LOW
Last modification:
12/11/2025

CVE-2025-22391
Publication date:
11/11/2025
Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-12940
Publication date:
11/11/2025
Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610<br /> and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6<br /> Access Points). An user having access to the syslog server can read the logs containing these credentials. <br /> <br /> This issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4.<br /> <br /> <br /> Devices<br /> managed with Insight get automatic updates. If not, please check the firmware version<br /> and update to the latest. <br /> <br /> <br /> <br /> <br /> <br /> Fixed in:<br /> <br /> <br /> <br /> WAX610 firmware<br /> 11.8.0.10 or later.<br /> <br /> <br /> <br /> WAX610Y firmware<br /> 11.8.0.10 or later.
Severity CVSS v4.0: LOW
Last modification:
12/11/2025

CVE-2025-12942
Publication date:
11/11/2025
Improper Input Validation vulnerability in NETGEAR R6260 and NETGEAR R6850 allows unauthenticated attackers connected to LAN with ability to perform MiTM attacks and control over DNS Server to perform command execution.This issue affects R6260: through 1.1.0.86; R6850: through 1.1.0.86.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-12943
Publication date:
11/11/2025
Improper certificate<br /> validation in firmware update logic in NETGEAR RAX30 (Nighthawk AX5 5-Stream<br /> AX2400 WiFi 6 Router) and RAXE300 (Nighthawk AXE7800 Tri-Band<br /> WiFi 6E Router) allows attackers with the ability to intercept and<br /> tamper traffic destined to the device to execute arbitrary commands on the<br /> device.<br /> <br /> Devices<br /> with automatic updates enabled may already have this patch applied. If not,<br /> please check the firmware version and update to the<br /> latest.<br /> <br /> <br /> <br /> Fixed in:<br /> <br /> <br /> <br /> RAX30 firmware<br /> 1.0.14.108 or later.<br /> <br /> <br /> <br /> RAXE300 firmware<br /> 1.0.9.82 or later
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-12944
Publication date:
11/11/2025
Improper input validation<br /> in NETGEAR DGN2200v4 (N300 Wireless ADSL2+ Modem Router) allows attackers with<br /> direct network access to the device to potentially execute code on the device.<br /> <br /> Please check the firmware version and update to the latest.<br /> <br /> <br /> <br /> Fixed<br /> in:<br /> <br /> <br /> <br />  DGN2200v4<br /> firmware 1.0.0.132 or later
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-13032
Publication date:
11/11/2025
Double fetch in sandbox kernel driver in Avast/AVG Antivirus
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025
Subscribe to Vulnerabilities