Posted on by danny

@RISK: The Consensus Security Vulnerability Alert: Vol. 25, Num. 39

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Exploit Against FreePBX (CVE-2025-57819) with code execution.
Published: 2025-10-07
Last Updated: 2025-10-07 16:23:36 UTC
by Johannes Ullrich (Version: 1)

FreePBX is a popular PBX system built around the open source VoIP system Asterisk. To manage Asterisk more easily, it provides a capable web-based admin interface. Sadly, like so many web applications, it has had its share of vulnerabilities in the past. Most recently, a SQL injection vulnerability was found that allows attackers to modify the database.

For a PBX, there are a number of obvious attacks. For example, they are often abused for free phone calls, to impersonate the companies running the PBX, or to hide the true origin of phone calls. Manipulating the FreePBX database would certainly facilitate these types of attacks. However, I noticed some slightly more interesting attacks recently attempting to achieve complete code execution …

Read the full entry: https://isc.sans.edu/diary/Exploit+Against+FreePBX+CVE202557819+with+code+execution/32350/

Quick and Dirty Analysis of Possible Oracle E-Business Suite Exploit Script (CVE-2025-61882) [UPDATED]
Published: 2025-10-06
Last Updated: 2025-10-06 12:36:04 UTC
by Johannes Ullrich (Version: 1)

[Update: I added the server part delivering the payload]

This weekend, Oracle published a surprise security bulletin announcing an exploited vulnerability in Oracle E-Business Suite. As part of the announcement, which also included a patch, Oracle published IoC observed as part of the incident response.

One script I found interesting is what Oracle calls “exp[.]py”. Here is a quick analysis of the HTTP requests sent by the script. I only ran it against a simple Python web server, not an actual Oracle E-Business Suite install.

The script takes two parameters: The URL of the target and the IP/port of a config server.

The first request sent by the script …

Read the full entry: https://isc.sans.edu/diary/Quick+and+Dirty+Analysis+of+Possible+Oracle+EBusiness+Suite+Exploit+Script+CVE202561882+UPDATED/32346/

OTHER INTERNET STORM CENTER ENTRIES

Polymorphic Python Malware (2025.10.08)
https://isc.sans.edu/diary/Polymorphic+Python+Malware/32354/

More .well-known Scans (2025.10.02)
https://isc.sans.edu/diary/More+wellknown+Scans/32340/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-61882 – Oracle Concurrent Processing in Oracle E-Business Suite (BI Publisher Integration) versions 12.2.3-12.2.14 is susceptible to an easily exploitable vulnerability that allows an unauthenticated attacker to take over the Oracle Concurrent Processing component.
Product: Oracle Concurrent Processing
CVSS Score: 9.8
** KEV since 2025-10-06 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61882
ISC Diary: https://isc.sans.edu/diary/32346
ISC Podcast: https://isc.sans.edu/podcastdetail/9642
NVD References:
https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
https://blogs.oracle.com/security/post/apply-july-2025-cpu
https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

CVE-2025-57819 – FreePBX is vulnerable to unauthenticated access and remote code execution due to insufficient data sanitization, patched in versions 15.0.66, 16.0.89, and 17.0.3.
Product: FreePBX FreePBX 15, 16, and 17
CVSS Score: 0
** KEV since 2025-08-29 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57819
ISC Diary: https://isc.sans.edu/diary/32350
ISC Podcast: https://isc.sans.edu/podcastdetail/9646

CVE-2025-10035 – Fortra’s GoAnywhere MFT is susceptible to a deserialization vulnerability, which enables an actor to inject commands by deserializing an arbitrary object with a forged license response signature.
Product: Fortra GoAnywhere MFT
CVSS Score: 0
** KEV since 2025-09-29 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10035
ISC Podcast: https://isc.sans.edu/podcastdetail/9644

CVE-2014-6278 – GNU Bash OS Command Injection Vulnerability
Product: Gnu Bash 4.3
CVSS Score: 0
** KEV since 2025-10-02 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2014-6278

CVE-2017-1000353 – Jenkins Remote Code Execution Vulnerability
Product: Jenkins
CVSS Score: 0
** KEV since 2025-10-02 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-1000353
NVD References: https://www.jenkins.io/security/advisory/2017-04-26/

CVE-2015-7755 – Juniper ScreenOS Improper Authentication Vulnerability
Product: Juniper ScreenOS 6.3.0
CVSS Score: 0
** KEV since 2025-10-02 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-7755

CVE-2025-10725 – Red Hat Openshift AI Service is susceptible to privilege escalation, enabling a low-privileged attacker to become a full cluster administrator and compromise the confidentiality, integrity, and availability of the cluster.
Product: Red Hat Openshift AI Service
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10725
ISC Podcast: https://isc.sans.edu/podcastdetail/9640

CVE-2025-49844 – Redis versions 8.2.1 and below are vulnerable to a use-after-free exploit via specially crafted Lua scripts, potentially allowing for remote code execution.
Product: Redis
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49844
ISC Podcast: https://isc.sans.edu/podcastdetail/9644

CVE-2024-58040 – Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.
Product: Crypt::RandomEncryption Perl
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-58040

CVE-2025-11148 – Check-branches is vulnerable to command injection due to trusting user input for branch names and concatenating them to spawn git commands.
Product: Npm check-branches
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11148

CVE-2025-34217 – Vasion Print Virtual Appliance Host and Application have a hardcoded ‘printerlogic’ user with SSH access, allowing attackers to gain root access with the matching private key.
Product: Vasion Virtual Appliance Application
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-34217

CVE-2025-7493 – FreeIPA has a privilege escalation flaw that allows an attacker to gain domain administrator access and perform administrative tasks over the REALM, potentially leading to sensitive data exfiltration.
Product: FreeIPA
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7493

CVE-2025-56513 – NiceHash QuickMiner 6.12.0 is vulnerable to supply chain attacks through unvalidated software updates over HTTP, allowing for remote code execution by intercepting or redirecting traffic to the update url.
Product: NiceHash QuickMiner
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56513

CVE-2025-10659 – The Telenium Online Web Application is vulnerable to remote code execution via crafted HTTP requests due to an insecurely terminated regular expression check in an accessible PHP endpoint.
Product: Telenium Online Web Application
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10659
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-01

CVE-2025-61622 – Pyfory versions 0.12.0 through 0.12.2, or legacy pyfury versions from 0.1.0 through 0.10.3, are vulnerable to arbitrary code execution through deserialization of untrusted data.
Product: Pyfory
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61622

CVE-2025-61044 & CVE-2025-61045 – TOTOLINK X18 V9.1.0cu.2053_B20230309 was discovered to contain command injection vulnerabilities.
Product: Totolink X18
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61044
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61045

CVE-2025-59735 through CVE-2025-59741 – AndSoft’s e-TMS v25.03 operating system command injection vulnerabilities.
Product: AndSoft E-TMS 25.03
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59735
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59736
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59737
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59738
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59739
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59740
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59741
NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms

CVE-2025-59742 & CVE-2025-59743 – AndSoft’s e-TMS v25.03 SQL injection vulnerabilities.
Product: AndSoft E-TMS 25.03
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59742
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59743
NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms

CVE-2025-59407 – The Flock Safety DetectionProcessing application 6.35.33 for Android exposes a Java Keystore (flock_rye.bks) with a hardcoded password (flockhibiki17) containing a private key.
Product: Flock Safety DetectionProcessing com.flocksafety.android.objects
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59407

CVE-2025-61603 & CVE-2025-61605- WeGIA is vulnerable to SQL Injection in versions 3.4.12 and below.
Product: WeGIA
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61603
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61605

CVE-2025-59489 – Unity Runtime before 2025-10-02 allows argument injection on Android, Windows, macOS, and Linux, potentially enabling remote code execution and information exfiltration.
Product: Unity Runtime
CVSS Score: 7.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59489
ISC Podcast: https://isc.sans.edu/podcastdetail/9642

CVE-2023-49886 – IBM Standards Processing Engine 10.0.1.10 is vulnerable to a remote code execution exploit through unsafe java deserialization.
Product: IBM Standards Processing Engine 10.0.1.10
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49886
NVD References: https://www.ibm.com/support/pages/node/7247179

CVE-2025-36356 – IBM Security Verify Access and IBM Security Verify Access Docker versions 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 may permit a locally authenticated user to gain root access by leveraging excessive privileges.
Product: IBM Security Verify Access
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36356
NVD References: https://www.ibm.com/support/pages/node/7247215

CVE-2025-59159 – SillyTavern’s web user interface in versions prior to 1.13.4 is vulnerable to DNS rebinding, allowing attackers to perform various malicious actions, but the vulnerability has been patched in version 1.13.4.
Product: SillyTavern
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59159

CVE-2025-57247 – The BATBToken smart contract contains incorrect access control implementation in whitelist management functions, allowing unauthorized users to bypass transfer restrictions and manipulate special address settings.
Product: BATBToken smart contract
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57247

CVE-2025-60957, CVE-2025-60964, & CVE-2025-60965 – EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 OS Command Injection vulnerabbilities.
Product: EndRun Technologies Sonoma D12 Network Time Server
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60957
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60964
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60965

CVE-2025-61777 – Flag Forge’s `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints allowed unauthorized access, potentially leading to data exposure and abuse of the badge system, prior to version 2.3.2.
Product: Flag Forge Capture The Flag (CTF) platform
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61777

CVE-2025-57515 – Uniclare Student Portal v2 is vulnerable to SQL injection, allowing remote attackers to execute time-delayed functions by injecting malicious SQL commands through input fields.
Product: Uniclare Student Portal
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57515

CVE-2025-0603 – Callvision Emergency Code before V3.0 is vulnerable to SQL Injection and Blind SQL Injection.
Product: Callvision Healthcare Callvision Emergency Code
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0603

CVE-2025-25009 – Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
Product: Kibana
CVSS Score: 8.7
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25009
ISC Podcast: https://isc.sans.edu/podcastdetail/9646

CVE-2025-3450 – Improper Resource Locking vulnerability in B&R Industrial Automation Automation Runtime. This issue affects Automation Runtime: from 6.0 before 6.3, before Q4.93.
Product: B&R Industrial Automation Automation Runtime
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3450

CVE-2025-44823 – Nagios Log Server allows authenticated users to retrieve cleartext administrative API keys via a specific API call, GL:NLS#475.
Product: Nagios Log Server
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-44823

CVE-2025-11418 – Tenda CH22 up to 1.0.0.1 is vulnerable to a remote stack-based buffer overflow in function formWrlsafeset of the HTTP Request Handler component.
Product: Tenda CH22
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11418

CVE-2025-11423 – Tenda CH22 1.0.0.1 is vulnerable to remote memory corruption due to improper handling of user input in the formSafeEmailFilter function within the /goform/SafeEmailFilter file.
Product: Tenda CH22
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11423

CVE-2025-10728 – The vulnerability in the module leads to a stack overflow DoS when rendering a Svg file containing a element.
Product: Nozavicka SVG Component
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10728
ISC Podcast: https://isc.sans.edu/podcastdetail/9646

CVE-2025-10729 – Module X allows for parsing a node outside of a structural node, resulting in potential use after free vulnerability.
Product: Linux
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10729
ISC Podcast: https://isc.sans.edu/podcastdetail/9646
NVD References: https://codereview.qt-project.org/c/qt/qtsvg/+/676473

CVE-2025-30247 – Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms is vulnerable to OS command injection, allowing remote attackers to execute arbitrary system commands via a specially crafted HTTP POST.
Product: Western Digital My Cloud
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30247
ISC Podcast: https://isc.sans.edu/podcastdetail/9636

CVE-2025-8625 – The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution through its copyreap_handle_image() Function in versions 1.1 to 1.2.
Product: Copypress Rest API plugin for WordPress
Active Installations: This plugin has been closed as of September 26, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8625
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/3045c9e5-4095-48e5-8d9d-16a091e69d54?source=cve

CVE-2025-9762 – The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially achieve remote code execution.
Product: WordPress Post By Email plugin
Active Installations: This plugin has been closed as of September 26, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9762
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/885eb923-8e69-416b-8494-a42a9465cfe0?source=cve

CVE-2020-36852 – The Custom Searchable Data Entry System plugin for WordPress up to version 1.7.1 is vulnerable to unauthenticated database wiping, allowing attackers to erase tables like wp_users.
Product: WordPress Custom Searchable Data Entry System plugin
Active Installations: This plugin has been closed as of March 12, 2020 and is not available for download. This closure is permanent. Reason: Author Request.
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36852
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/245d89e5-52cc-44b1-a858-0ca0aacb4e26?source=cve

CVE-2025-9697 – The Ajax WooSearch WordPress plugin allows unauthenticated users to perform SQL injection attacks due to inadequate sanitisation of user input.
Product: Ajax WooSearch WordPress plugin
Active Installations: Unknown
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9697
NVD References: https://wpscan.com/vulnerability/38939152-e54e-4f8f-996b-592de195570d/

CVE-2025-6388 – The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions, allowing unauthenticated attackers to log in as any user, including administrators.
Product: WordPress Spirit Framework plugin
Active Installations: Unknown
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6388
NVD References: https://themespirit.com/talemy-changelog/
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/a4cbc0e7-4328-451f-a595-1ce17e9d0031?source=cve

CVE-2025-10726 – The WPRecovery plugin for WordPress is vulnerable to SQL Injection which allows unauthenticated attackers to extract sensitive information and delete arbitrary files on the server.
Product: WPScan WPRecovery plugin
Active Installations: This plugin has been closed as of October 1, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10726
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/15880d3b-87de-4b59-878c-e36e73c45e8a?source=cve

CVE-2025-7721 – The JoomSport plugin for WordPress is vulnerable to Local File Inclusion up to version 5.7.3, allowing unauthenticated attackers to execute arbitrary .php files on the server and potentially bypass access controls or obtain sensitive data.
Product: JoomSport for Sports: Team & League, Football, Hockey & more plugin for WordPress
Active Installations: 1,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7721
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/4f3900c7-2acb-4031-9854-b0b13e172e1f?source=cve

CVE-2025-9209 – RestroPress – Online Food Ordering System plugin for WordPress allows unauthenticated attackers to forge JWT tokens for other users via the /wp-json/wp/v2/users endpoint, leading to Authentication Bypass.
Product: RestroPress Online Food Ordering System plugin for WordPress
Active Installations: This plugin has been closed as of September 30, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9209
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/359833dd-de3c-48ea-8eef-06588a590da2?source=cve

CVE-2025-9286 – The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation through missing authorization in the reset_user_password() REST handler.
Product: Appy Pie Connect for WooCommerce plugin
This plugin has been closed as of October 1, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9286
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/36fb5b8d-1ea4-45c2-8639-b229efdb57db?source=cve

CVE-2025-9485 – The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to improper verification of cryptographic signatures, allowing unauthenticated attackers to gain access to user accounts or create new accounts.
Product: WordPress OAuth Single Sign On – SSO (OAuth Client) plugin
Active Installations: 6,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9485
NVD References: https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577
NVD References: https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73b-62d182ee9a8a?source=cve

Wildcard SSL