CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================
INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Honeypot: FortiWeb CVE-2025-64446 Exploits
Published: 2025-11-15
Last Updated: 2025-11-15 09:44:35 UTC
by Didier Stevens (Version: 1)
Like many have reported, we too noticed exploit attempts for CVE-2025-64446 in our honeypots.
These are POST requests to this path …
With this User Agent String …
Read the full entry: https://isc.sans.edu/diary/Honeypot+FortiWeb+CVE202564446+Exploits/32486/
KongTuke activity
Published: 2025-11-18
Last Updated: 2025-11-18 07:10:17 UTC
by Brad Duncan (Version: 1)
Introduction
Today’s diary is an example of KongTuke activity using fake CAPTCHA pages for a ClickFix-style lure.
Also known as LandUpdate808 or TAG-124 and described as a sophisticated TDS system, KongTuke has been active since at least May 2024. I keep track of this campaign through the infosec.exchange Mastodon instance, which is mostly information from the @monitorsg profile.
With URLscan, I can pivot on the information from Mastodon to find compromised sites and generate infection traffic in my lab.
On Monday, 2025-11-17, I found an example of a legitimate website with a KongTuke-injected script, and I generated some infection traffic …
Read the full entry: https://isc.sans.edu/diary/KongTuke+activity/32498/
Finger[.]exe & ClickFix
Published: 2025-11-16
Last Updated: 2025-11-16 07:27:55 UTC
by Didier Stevens (Version: 1)
The finger[.]exe command is used in ClickFix attacks.
finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then.
In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol.
We wrote about finger.exe about 3 years ago: “Finger[.]exe LOLBin”.
What you need to know:
finger communication takes place over TCP
the finger protocol uses TCP port 79 and there is no way to change this port
finger[.]exe is not proxy aware
So if you are in a corporate environment with an explicit proxy (and blocking all Internet facing communication that doesn’t go through the proxy), the finger.exe command won’t be able to communicate.
And if you have a transparent proxy, finger.exe will be able to communicate provided the proxy allows TCP connections to port 79 …
Read the full entry: https://isc.sans.edu/diary/Fingerexe+ClickFix/32492/
OTHER INTERNET STORM CENTER ENTRIES
Decoding Binary Numeric Expressions (2025.11.17)
https://isc.sans.edu/diary/Decoding+Binary+Numeric+Expressions/32490/
SANS Holiday Hack Challenge 2025 (2025.11.16)
https://isc.sans.edu/diary/SANS+Holiday+Hack+Challenge+2025/32488/
Microsoft Office Russian Dolls (2025.11.14)
https://isc.sans.edu/diary/Microsoft+Office+Russian+Dolls/32484/
Formbook Delivered Through Multiple Scripts (2021.11.13)
https://isc.sans.edu/diary/Formbook+Delivered+Through+Multiple+Scripts/32480/
SmartApeSG campaign uses ClickFix page to push NetSupport RAT (2025.11.12)
https://isc.sans.edu/diary/SmartApeSG+campaign+uses+ClickFix+page+to+push+NetSupport+RAT/32474/
RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2025-64446 – Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11 are vulnerable to relative path traversal, enabling attackers to execute administrative commands via specially-crafted HTTP or HTTPS requests.
Product: Fortinet Fortiweb
CVSS Score: 9.8
** KEV since 2025-11-14 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64446
NVD References:
– https://fortiguard.fortinet.com/psirt/FG-IR-25-910
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64446
CVE-2025-58034 – Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11 are vulnerable to OS command injection, which could allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
Product: Fortinet FortiWeb
CVSS Score: 7.2
** KEV since 2025-11-18 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58034
NVD References:
– https://fortiguard.fortinet.com/psirt/FG-IR-25-513
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58034
CVE-2025-12480 – Triofox is vulnerable to an Improper Access Control flaw, allowing access to initial setup pages post-completion in versions before 16.7.10368.56560.
Product: Triofox
CVSS Score: 0
** KEV since 2025-11-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12480
ISC Podcast: https://isc.sans.edu/podcastdetail/9696
CVE-2025-62215 – Windows Kernel is vulnerable to race conditions that can be exploited by an authorized attacker to locally elevate privileges.
Product: Microsoft Windows 10 1809
CVSS Score: 7.0
** KEV since 2025-11-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62215
NVD References:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62215
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-62215
CVE-2025-42887 – SAP Solution Manager is vulnerable to code injection by authenticated attackers through remote-enabled function modules, potentially granting full system control and severely impacting confidentiality, integrity, and availability.
Product: SAP Solution Manager
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42887
NVD References: https://url.sap/sapsecuritypatchday
CVE-2025-42890 – SAP SQL Anywhere Monitor (Non-GUI) has baked credentials into the code, allowing unintended users to access resources and potentially execute arbitrary code, posing a high risk to system security.
Product: SAP SQL Anywhere Monitor
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42890
NVD References: https://url.sap/sapsecuritypatchday
CVE-2017-20210 – Photo Station 5.4.1 & 5.2.7 have a vulnerability related to XMR mining programs.
Product: QNAP Photo Station
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20210
NVD References: https://www.qnap.com/en-in/security-advisory/nas-201705-04
CVE-2025-8324 – Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration.
Product: Zohocorp ManageEngine Analytics Plus
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8324
NVD References: https://www.manageengine.com/analytics-plus/CVE-2025-8324.html
CVE-2025-13021, CVE-2025-13022, CVE-2025-13023 & CVE-2025-13026 – Incorrect boundary conditions in the Graphics: WebGPU component. These vulnerabilities affects Firefox < 145.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13021
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13022
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13023
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13026
NVD References: https://www.mozilla.org/security/advisories/mfsa2025-87/
CVE-2025-13024 – JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 145.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13024
NVD References: https://www.mozilla.org/security/advisories/mfsa2025-87/
CVE-2025-13032 – Avast/AVG Antivirus <25.3 on Windows is vulnerable to a double fetch in the sandbox kernel driver, allowing local attackers to escalate privileges via pool overflow.
Product: Avast AVG Antivirus
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13032
CVE-2025-60724 – Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
Product: Microsoft Office
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60724
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60724
CVE-2025-12870 & CVE-2025-12871 – aEnrich’s a+HRD software is vulnerable to Authentication Abuse, enabling unauthorized remote attackers to create admin access tokens for elevated system access.
Product: aEnrich a+Hrd
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12870
NVD References: https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html
CVE-2025-63666 – Tenda AC15 v15.03.05.18_multi exposes account password hash and uses insecure session identifier, allowing attackers to steal cookies and access protected resources.
Product: Tenda AC15
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63666
NVD References: https://github.com/Remenis/CVE-2025-63666
CVE-2025-11366 – N-central < 2025.4 is vulnerable to authentication bypass via path traversal
Product: N-Able N-Central
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11366
NVD References: https://me.n-able.com/s/security-advisory/aArVy0000000rcDKAQ/cve202511366-ncentral-authentication-bypass-via-path-traversal
CVE-2025-11367 – The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization
Product: N-Able N-Central
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11367
NVD References: https://me.n-able.com/s/security-advisory/aArVy0000000rfRKAQ/cve202511367-ncentral-windows-software-probe-remote-code-execution
CVE-2025-63289 – Sogexia Android App’s encryption_helper.dart file in SDK v35 and below had hardcoded encryption keys.
Product: Sogexia Android App Compile
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63289
CVE-2025-63353 – FiberHome GPON ONU HG6145F1 RP4423 is vulnerable to network access as attackers can predict the factory default Wi-Fi password from the SSID.
Product: FiberHome GPON ONU HG6145F1 RP4423
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63353
CVE-2025-64280 & CVE-2025-64281 – Multiple vulnerabilities in CentralSquare Community Development 19.5.7
Product: CentralSquare Community Development
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64280
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64281
NVD References: https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr
CVE-2025-56385 – WellSky Harmony version 4.1.0.2.83 contains a SQL injection vulnerability in the login functionality that could result in authentication bypass, data leakage, or full system compromise.
Product: WellSky Harmony
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56385
NVD References: https://machevalia.blog/blog/cve-2025-56385-wellsky-harmony-sql-injection
CVE-2025-63679 – Free5GC v4.1.0 and before is vulnerable to Buffer Overflow during the processing of an UplinkRANConfigurationTransfer NGAP message from a gNB, causing the AMF process to crash.
Product: Free5GC v4.1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63679
CVE-2025-46608 – Dell Data Lakehouse versions prior to 1.6.0.0 have an Improper Access Control vulnerability that could allow a high privileged attacker to gain elevated privileges, compromising system integrity and customer data.
Product: Dell Data Lakehouse
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46608
NVD References: https://www.dell.com/support/kbdoc/en-us/000390529/dsa-2025-375-security-update-for-dell-data-lakehouse-multiple-vulnerabilities
CVE-2025-12762 – pgAdmin is vulnerable to Remote Code Execution (RCE) when restoring PLAIN-format dump files in server mode, enabling attackers to execute arbitrary commands on the hosting server, compromising the database’s security.
Product: pgAdmin
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12762
CVE-2025-64709 – Typebot’s HTTP Request component functionality prior to version 3.13.1 contains a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated users to access AWS Instance Metadata Service (IMDS) and extract temporary AWS IAM credentials for the EKS node role, leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure.
Product: Typebot chatbot builder
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64709
CVE-2025-36096 – IBM AIX 7.2, 7.3, and IBM VIOS 3.1, 4.1 have insecure storage of NIM private keys, making them vulnerable to unauthorized access through man in the middle attacks.
Product: IBM AIX 7.2, and 7.3, VIOS 3.1, and 4.1
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36096
NVD References: https://www.ibm.com/support/pages/node/7251173
CVE-2025-36250 – IBM AIX 7.2, 7.3, and IBM VIOS 3.1, 4.1 NIM server are vulnerable to remote code execution through the nimesis service due to improper process controls.
Product: IBM AIX 7.2
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36250
NVD References: https://www.ibm.com/support/pages/node/7251173
CVE-2025-36251 – IBM AIX 7.2, 7.3, and IBM VIOS 3.1, 4.1 nimsh service SSL/TLS implementations could allow remote attackers to execute arbitrary commands by lacking proper process controls.
Product: IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36251
NVD References: https://www.ibm.com/support/pages/node/7251173
CVE-2025-54339 & CVE-2025-54343 – Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 allows remote attackers to escalate privileges due to Incorrect Access Control vulnerabilities in the Application Server.
Product: Desktop Alert PingAlert
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54339
NVD References:
– https://desktopalert.net/cve-2025-54339/
– https://desktopalert.net/CVE-2025-54343/
CVE-2025-13188 – D-Link DIR-816L 2_06_b09_beta is susceptible to a stack-based buffer overflow via manipulation of the Password argument in authenticationcgi_main of /authentication.cgi, allowing for remote exploitation despite no longer being supported by the maintainer.
Product: D-Link DIR-816L
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13188
CVE-2025-58083 – General Industrial Controls Lynx+ Gateway is vulnerable to remote device reset due to missing critical authentication in the embedded web server.
Product: General Industrial Controls Lynx+ Gateway
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58083
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08
CVE-2025-13284 – ThinPLUS by ThinPLUS is at risk of unauthorized remote attackers exploiting an OS Command Injection vulnerability to execute arbitrary commands on the server.
Product: ThinPLUS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13284
NVD References: https://www.twcert.org.tw/en/cp-139-10513-0d82b-2.html
CVE-2025-63747 – QaTraq 6.9.2 has default administrative account credentials that allow immediate login via the web application, granting attackers administrative access.
Product: QaTraq 6.9.2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63747
CVE-2024-44659 – PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the email parameter in forgot-password.php.
Product: PHPGurukul Online Shopping Portal
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44659
CVE-2025-40547, CVE-2025-40548 & CVE-2025-40549 – SolarWinds Serv-U has multiple vulnerabilities that allows a malicious actor with admin privileges to execute code.
Product: SolarWinds Serv-U
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40547
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40548
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40549
NVD References:
– https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm
– https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40547
– https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40548
– https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549
CVE-2025-41733 – Affected devices do not validate if already initialized, allowing unauthenticated remote attacker to set root credentials via POST requests on the commissioning wizard.
Product: METZ CONNECT EWIO2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41733
NVD References:
– https://certvde.com/de/advisories/VDE-2025-097
– https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-05
CVE-2025-41734 – An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
Product: METZ CONNECT EWIO2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41734
NVD References:
– https://certvde.com/de/advisories/VDE-2025-097
– https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-05
CVE-2025-9312 – WSO2 products are vulnerable to a missing authentication enforcement issue in their mutual TLS implementation, allowing for unauthenticated requests and potential unauthorized access by malicious actors.
Product: WSO2 System REST APIs and SOAP services
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9312
NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4494/
CVE-2025-11170 – The cpi-wp-migration CPI plugin for WordPress allows unauthenticated attackers to upload arbitrary files on the server, potentially leading to remote code execution.
Product: cpi-wp-migration CPI plugin for WordPress
Active Installations: This plugin has been closed as of November 7, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11170
NVD References:
– https://wordpress.org/plugins/cpi-wp-migration/
– https://www.wordfence.com/threat-intel/vulnerabilities/id/8a96d6d5-a5e3-4648-902b-f9d1f8e57e5c?source=cve
CVE-2025-12813 – The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution up to version 7.1 through the ‘contents’ parameter, allowing unauthenticated attackers to execute code on the server.
Product: WordPress Holiday class post calendar plugin
Active Installations: This plugin has been closed as of November 7, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12813
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve
CVE-2025-12539 – The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure due to storing cPanel API credentials in unprotected files, allowing attackers to compromise the hosting environment.
Product: TNC Toolbox Web Performance plugin for WordPress
Active Installations: 1,000+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12539
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve
CVE-2025-9501 – W3 Total Cache WordPress plugin before 2.8.13 allows unauthenticated users to execute PHP commands by injecting a malicious payload in a comment.
Product: W3-EDGE W3 Total Cache WordPress plugin
Active Installations: 1 million+
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9501