ID,CVE,Title,Product,Affected Asset,CVSS v3.1,EPSS,Severity,Discovered,Source,Patch Available,Remediation Deadline,Status,Owner,Notes
VUL-2025-001,CVE-2025-21293,Windows Kernel Elevation of Privilege,Microsoft Windows 10/11 Server 2019/2022,AST-005 AST-004,7.8,0.08,High,2025-01-14,MS Patch Tuesday,Yes,2025-02-14,Closed,IT Operations Lead,Patched via WSUS 2025-01-18
VUL-2025-002,CVE-2025-29813,Azure DevOps privilege escalation variable groups,Azure DevOps Services,AST-013 (GitLab CI but Azure DevOps used for one legacy project),10.0,0.12,Critical,2025-05-08,MSRC advisory,Yes,2025-05-15,Closed,Head of Engineering,Microsoft hosted patched - verified tenant
VUL-2024-210,CVE-2024-38200,Microsoft Office NTLM hash disclosure,Microsoft Office 2019/2021/365,AST-003 AST-006,7.5,0.21,High,2024-08-13,MS Patch Tuesday,Yes,2024-09-13,Closed,IT Operations Lead,Patched fleet via Intune
VUL-2025-003,CVE-2025-24989,Microsoft Power Pages auth bypass,Microsoft Power Pages,Customer portal (Power Pages),8.2,0.35,High,2025-02-19,MSRC KEV,Yes (vendor side),N/A,Closed,Head of Engineering,Vendor patched - verified
VUL-2025-004,CVE-2025-22224,VMware ESXi heap overflow,VMware ESXi 7.0/8.0,AST-004 AST-005 (hypervisor),9.3,0.28,Critical,2025-03-04,CISA KEV,Yes,2025-03-18,Closed,IT Operations Lead,Emergency change EC-2025-003
VUL-2025-005,CVE-2025-30397,Microsoft Scripting Engine RCE (Edge/Chakra),Microsoft Edge legacy,AST-006,8.8,0.15,High,2025-05-13,MS Patch Tuesday,Yes,2025-06-13,Closed,IT Operations Lead,Auto-update
VUL-2025-006,CVE-2024-7971,Google Chrome V8 type confusion,Google Chrome,AST-006,8.8,0.88,Critical,2024-08-21,Chrome release,Yes,2024-08-28,Closed,IT Operations Lead,Chrome auto-update enforced
VUL-2025-007,CVE-2025-20281,Cisco IOS XE privilege escalation,Cisco IOS XE,AST-010 (if Cisco - check applicability),6.7,0.03,Medium,2025-06-25,Cisco PSIRT,Yes,2025-07-25,N/A,IT Operations Lead,Not applicable - Fortinet stack
VUL-2025-008,CVE-2025-26633,Microsoft Management Console bypass,Microsoft Windows,AST-005 AST-004 AST-006,7.0,0.42,High,2025-03-11,CISA KEV,Yes,2025-04-11,Closed,IT Operations Lead,Patched via WSUS
VUL-2025-009,CVE-2024-3094,XZ Utils backdoor (liblzma),xz-utils 5.6.0-5.6.1,Internal Linux build servers (2x),10.0,0.62,Critical,2024-03-29,Debian advisory,Yes (downgrade),2024-03-30,Closed,IT Operations Lead,Rolled back to 5.4.6 within hours
VUL-2025-010,CVE-2025-32756,Fortinet FortiOS stack overflow,Fortinet FortiOS 7.2/7.4,AST-010,9.8,0.71,Critical,2025-05-13,CISA KEV,Yes,2025-05-20,Closed,IT Operations Lead,Emergency change EC-2025-011
VUL-2025-011,CVE-2025-24201,Apple WebKit out-of-bounds write,macOS/iOS Safari,AST-006 AST-014,8.1,0.11,High,2025-03-11,Apple advisory,Yes,2025-04-11,Closed,IT Operations Lead,MDM enforced update
VUL-2025-012,CVE-2025-22457,Ivanti Connect Secure stack overflow,Ivanti Connect Secure,AST-011 (if Ivanti - check),9.0,0.55,Critical,2025-04-03,CISA KEV,Yes,2025-04-10,N/A,IT Operations Lead,Not applicable - Fortinet VPN used
VUL-2025-013,CVE-2025-29824,Windows CLFS driver privilege escalation,Microsoft Windows,AST-005 AST-004,7.8,0.25,High,2025-04-08,MS Patch Tuesday,Yes,2025-05-08,Closed,IT Operations Lead,Patched via WSUS
VUL-2025-014,CVE-2025-3248,Langflow missing authentication remote code execution,Langflow (internal POC),Internal POC environment,9.8,0.47,Critical,2025-04-07,Horizon3 advisory,Yes,2025-04-10,Closed,Head of Engineering,Decommissioned POC