The four critical bugs are typically very reliable to exploit due to their deserialization and authentication logic flaws, noted Ryan Emmons, security researcher at Rapid7. “For attackers, that’s good news, because it means avoiding lots of bespoke exploit development work like you’d see with other less reliable bug classes.”
Instead, attackers can use a standardized malicious payload across many vulnerable targets, Emmons noted. “If exploitation is successful, the attackers gain full control of the software and all the information stored by it, along with the potential ability to move laterally into other systems.”
Meanwhile, the high-severity vulnerability CVE-2025-40536 would allow threat actors to bypass security controls and gain access to certain functionalities that should be restricted only to authenticated users. Finally, CVE-2025-40537 is a hardcoded credentials vulnerability that, “under certain situations,” could provide access to administrative functions.
