CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================
INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft Patch Tuesday December 2025
Published: 2025-12-09
Last Updated: 2025-12-09 20:20:54 UTC
by Johannes Ullrich (Version: 1)
This release addresses 57 vulnerabilities. 3 of these vulnerabilities are rated critical. One vulnerability was already exploited, and two were publicly disclosed before the patch was released.
CVE-2025-62221: This privilege escalation vulnerability in the Microsoft Cloud Files Mini Filters driver is already being exploited.
CVE-2025-54100: A PowerShell script using Invoke-WebRequest may execute scripts that are included in the response. This is what Invoke-WebRequest is supposed to do. The patch adds a warning suggesting adding the -UseBasicParsing parameter to avoid executing scripts.
CVE-2025-64671: The GitHub Copilot plugin for JetBrains may lead to remote code execution. This is overall an issue with many AI code assistance as they have far-reaching access to the IDE.
The critical vulnerabilities are remote code execution vulnerabilities in Office and Outlook …
Read the full entry: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+December+2025/32550/
AutoIT3 Compiled Scripts Dropping Shellcodes
Published: 2025-12-05
Last Updated: 2025-12-05 07:12:12 UTC
by Xavier Mertens (Version: 1)
AutoIT3[1] is a powerful language that helps to built nice applications for Windows environments, mainly to automate tasks. If it looks pretty old, the latest version was released last September and it remains popular amongst developers, for the good… or the bad! Malware written in AutoIt3 has existed since the late 2000s, when attackers realized that the language was easy to learn (close to basic) but can also compiled into standalone PE files! From a malware point of view, such executables make an extended use of packed data, making them more stealthy.
If it became less popular, AutoIT3 is still used by some attackers. I found a sample yesterday that (ab)use a nice feature of the language. The sample was delivered in a ZIP archive, containing a PE file … The file has a VT score of 33/72.
The technique used by the threat actor relies on the function FileInstall(). Its purpose is to include a file into an executed script but… the behavior is subtle and depends on how the script is run. The script call this code …
Read the full entry: https://isc.sans.edu/diary/AutoIT3+Compiled+Scripts+Dropping+Shellcodes/32542/
Nation-State Attack or Compromised Government? [Guest Diary]
Published: 2025-12-04
Last Updated: 2025-12-04 02:34:40 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Jackie Nguyen, an ISC intern as part of the SANS.edu BACS program]
The ISC internship didn’t just teach me about security, it changed how I thought about threats entirely. There’s something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That’s where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered!
The Beginning …
On November 10, 2025, my honeypot captured very interesting activity that really demonstrates how evolved modern threat actors are getting. What initially appeared to be a simple, but successful SSH brute force attempt quickly revealed itself as something far more concerning, a deployment of an advanced trojan designed for long-term persistence and evasion.
What happened?
Suspicious activity was detected when the IP address 103[.] … successfully SSH’d into my honeypot using the credentials username “root” and password “linux”. The bad actor maintained access to the honeypot for 1 minute and 45 seconds but ultimately ran no commands. Instead, the attacker uploaded a single file, a trojan binary named “sshd” designed to evade security detections by pretending to be the OpenSSH daemon. It was an Executable and Linkable Format (ELF) binary that was classified as malicious by VirusTotal and Hybrid-Analysis.
We won’t be able to see what the Trojan did on my honeypot at this time, however, I found the hash on Hybrid-Analysis and got a good idea of what the trojan does …
Read the full entry: https://isc.sans.edu/diary/NationState+Attack+or+Compromised+Government+Guest+Diary/32536/
HOLIDAY HACK CHALLENGE
The 2025 SANS Holiday Hack Challenge is officially open
Create your avatar, explore the new holiday adventure, and put your cybersecurity skills to the test through interactive challenges and puzzles. See if you’ve got what it takes to save the holidays.
– https://www.sans.org/cyber-ranges/holiday-hack-challenge
New Features This Year:
CTF-Only Mode – Jump straight into the technical action
Micro-Challenges – 10–15 min puzzles for quick, festive wins
Capstones – Longer, deeper challenges to truly level up
OTHER INTERNET STORM CENTER ENTRIES
Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection) (2025.12.10)
https://isc.sans.edu/diary/Possible+exploit+variant+for+CVE20249042+Kubernetes+OS+Command+Injection/32554/
Attempts to Bypass CDNs (2025.12.03)
https://isc.sans.edu/diary/Attempts+to+Bypass+CDNs/32532/
RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2025-55182 – React Server Components versions 19.0.0 to 19.2.0 are vulnerable to pre-authentication remote code execution via unsafe deserialization of payloads from HTTP requests.
Product: React
CVSS Score: 10.0
** KEV since 2025-12-05 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55182
ISC Podcast: https://isc.sans.edu/podcastdetail/9724
NVD References:
– https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
– https://www.facebook.com/security/advisories/cve-2025-55182
– http://www.openwall.com/lists/oss-security/2025/12/03/4
– https://news.ycombinator.com/item?id=46136026
– https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
CVE-2025-62221 – Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Product: Microsoft Windows Cloud Files Mini Filter Driver
CVSS Score: 7.8
** KEV since 2025-12-09 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62221
ISC Diary: https://isc.sans.edu/diary/32550
NVD References:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-62221
CVE-2025-66644 – Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.
Product: Array Networks ArrayOS AG
CVSS Score: 7.2
** KEV since 2025-12-08 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66644
NVD References:
– https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/
– https://www.jpcert.or.jp/at/2025/at250024.html
– https://x.com/ArraySupport/status/1921373397533032590
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644
CVE-2025-48572 – Android Framework is vulnerable to background activity launching from multiple locations, allowing for local privilege escalation without the need for additional execution privileges or user interaction.
Product: Google Android
CVSS Score: 7.8
** KEV since 2025-12-02 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48572
NVD References:
– https://android.googlesource.com/platform/frameworks/base/+/e707f6600330691f9c67dc023c09f4cd2fc59192
– https://source.android.com/security/bulletin/2025-12-01
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48572
CVE-2025-48633 – Device Policy Manager Service in DevicePolicyManagerService.java allows for local escalation of privilege without additional execution privileges needed by adding a Device Owner after provisioning due to a logic error.
Product: Google Android
CVSS Score: 5.5
** KEV since 2025-12-02 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48633
NVD References:
– https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93
– https://source.android.com/security/bulletin/2025-12-01
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48633
CVE-2021-26828 – OpenPLC ScadaBR allows remote authenticated users to upload and execute arbitrary JSP files through view_edit.shtm.
Product: OpenPLC Project ScadaBR
CVSS Score: 0
** KEV since 2025-12-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-26828
CVE-2025-13872 – ObjectPlanet Opinio 7.26 rev12562 suffers from a Blind SSRF vulnerability in the survey-import feature, allowing attackers to force the server to make malicious HTTP GET requests.
Product: ObjectPlanet Opinio
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13872
CVE-2025-41742 & CVE-2025-41744 – Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 are vulnerable to unauthorized remote attacks due to default cryptographic keys..
Product: Sprecher Automations SPRECON-E Series
CVSS Scores: 9.8 and 9,1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41742
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41744
NVD References:
– https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf
– https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf
CVE-2025-11778, CVE-2025-11779, CVE-2025-11780, CVE-2025-11782 through CVE-2025-11786, CVE-2025-11788 – CircutorSGE-PLC1000/SGE-PLC50 v9.0.2 has multiple buffer overflow vulnerabilities.
Product: Circutor SGE-PLC1000
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11778
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11779
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11780
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11782
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11783
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11784
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11785
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11786
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11788
NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0
CVE-2025-41013 – TCMAN GIM v11 in version 20250304 is vulnerable to SQL injection, allowing attackers to manipulate databases using the ‘idmant’ parameter in ‘/PC/frmEPIS.aspx’.
Product: TCMAN GIM
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41013
NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2
CVE-2025-59693 – Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 have a vulnerability (F02) that allows a physically proximate attacker to obtain debug access and escalate privileges by bypassing tamper labels and opening the chassis without leaving evidence, and accessing the JTAG connector.
Product: Entrust nShield Connect XC
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59693
CVE-2025-59695 – Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an OS root user to alter firmware on the Chassis Management Board without Authentication, known as F04 vulnerability.
Product: Entrust nShield Connect XC
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59695
CVE-2025-59703 – Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access internal components without leaving tamper evidence, known as an F14 attack.
Product: Entrust nShield 5C
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59703
CVE-2025-65358 – Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the ‘docid’ parameter at /admin/appointment.php.
Product: Hashenudara Edoc-Doctor-Appointment-System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65358
CVE-2025-65656 – dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.
Product: Dcatadmin Dcat Admin
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65656
CVE-2025-58386 – Terminalfour 8 through 8.4.1.1 allows Power Users to escalate privileges by manipulating the userLevel parameter in user management functions.
Product: Terminalfour
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58386
NVD References: https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/
CVE-2025-60854 – D-Link R15 (AX1500) 1.20.01 and below is vulnerable to command injection via the model name parameter during a password change request in the web administrator page.
Product: D-Link R15
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60854
NVD References: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10473
CVE-2025-60736 -code-projects Online Medicine Guide 1.0 is vulnerable to SQL Injection in /login.php via the upass parameter.
Product: Anisha Online Medicine Guide
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60736
NVD References: https://github.com/WinDyAlphA/CVE-2025-60736
CVE-2025-65896 – SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys.
Product: Long2ice assyncmy
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65896
CVE-2025-65267 – ERPNext v15.83.2 and Frappe Framework v15.86.0 are vulnerable to stored cross-site scripting (XSS) via malicious JavaScript embedded in uploaded SVG avatar images, allowing for potential account takeover and compromise of the affected instance.
Product: ERPNext and Frappe Framework
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65267
CVE-2024-32641 – Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution via the addParam function, allowing an unauthenticated attacker to execute arbitrary code.
Product: Masa CMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32641
CVE-2025-66032 – Claude Code, an agentic coding tool, prior to version 1.0.93, allowed for arbitrary code execution by bypassing read-only validation, fixed in the latest update.
Product: Anthropic Claude_Code
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66032
NVD References: https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3
CVE-2025-66208 – Collabora Online – Built-in CODE Server prior to version 25.04.702 is vulnerable to Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy, putting users of Nextcloud with the app at risk.
Product: Collabora Online
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66208
CVE-2025-66222 – DeepChat is vulnerable to Stored Cross-Site Scripting (XSS) which can be escalated to Remote Code Execution (RCE) through the Electron IPC bridge.
Product: DeepChat
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66222
CVE-2025-66481 – DeepChat is vulnerable to XSS attacks through improperly sanitized Mermaid content, with a recent security patch being insufficient and allowing for Remote Code Execution via electron.ipcRenderer interface.
Product: DeepChat
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66481
CVE-2025-64055 – Fanvil x210 V2 2.12.20 is vulnerable to an authentication bypass, enabling unauthenticated attackers on the local network to access administrative functions of the device.
Product: Fanvil x210
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64055
CVE-2025-64054 – Fanvil x210 2.12.20 devices are susceptible to reflected Cross Site Scripting (XSS) attacks, permitting attackers to execute commands or launch denial of service attacks.
Product: Fanvil x210
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64054
CVE-2025-65868 – EyouCMS v1.7.1 is vulnerable to XML external entity (XXE) injection, enabling remote attackers to cause a denial of service with a specially crafted POST request body.
Product: EyouCMS
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65868
CVE-2024-45538 – Synology DiskStation Manager (DSM) and Synology Unified Controller (DSMUC) are vulnerable to CSRF attacks, allowing remote attackers to execute arbitrary code.
Product: Synology Diskstation_Manager_Unified_Controller
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45538
NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_24_27
CVE-2025-53963 – Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices are vulnerable to root code execution due to a weak default password for the root account on an accessible SSH server.
Product: Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53963
NVD References:
– https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf
– https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf
CVE-2025-54303 – The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials stored as fixtures for the Django ORM API, allowing an attacker to authenticate with administrative privileges using the ionadmin user account and password ionadmin.
Product: Thermo Fisher Torrent Suite Django application
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54303
NVD References:
– https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf
– https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf
CVE-2025-54304 – Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices have a vulnerability that allows unauthorized access and potential execution of code due to an exposed X11 display server.
Product: Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54304
NVD References:
– https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf
– https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf
CVE-2025-65346 – Alexusmai Laravel-File-Manager 3.3.1 and below is vulnerable to Directory Traversal, allowing archive contents to be written to arbitrary locations on the filesystem.
Product: alexusmai Laravel-File-Manager
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65346
CVE-2025-63362 – Waveshare RS232/485 TO WIFI ETH (B) allows attackers to bypass authentication by setting blank Administrator password and username values.
Product: Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63362
CVE-2025-29268 – ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library.
Product: ALLNET ALL-RUT22GW
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29268
CVE-2025-29269 – ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint.
Product: ALLNET ALL-RUT22GW
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29269
CVE-2025-66570 – cpp-httplib prior to 0.27.0 allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions.
Product: cpp-httplib C++11 single-file header-only cross platform HTTP/HTTPS library
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66570
CVE-2025-27019 – Infinera MTC-9 version R22.1.1.0275 allows an attacker to gain system access by exploiting password-less user accounts and activating a reverse shell.
Product: Infinera MTC-9
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27019
NVD References: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27019
CVE-2025-27020 – Infinera MTC-9 is vulnerable to an unauthenticated attacker exploiting an improperly configured SSH service to execute arbitrary commands and access file system data.
Product: Infinera MTC-9
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27020
NVD References: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27020
CVE-2025-61318 – Emlog Pro 2.5.20 is vulnerable to arbitrary file deletion due to insufficient path verification and code filtering in the admin templates and plugins components.
Product: Emlog
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61318
CVE-2025-48626 – The vulnerable product allows for remote privilege escalation without additional execution privileges, as a result of a precondition check failure allowing for background application launch.
Product: Google Android
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48626
NVD References: https://source.android.com/security/bulletin/2025-12-01
CVE-2025-64081 – SourceCodester Patients Waiting Area Queue Management System v1 is vulnerable to SQL injection through the appointmentID parameter in /php/api_patient_schedule.php, allowing for the execution of arbitrary SQL commands by attackers.
Product: Pamzey Patients_Waiting_Area_Queue_Management_System 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64081
CVE-2025-10573 – Ivanti Endpoint Manager is vulnerable to Stored XSS attacks allowing remote unauthenticated attackers to execute arbitrary JavaScript in an administrator session with user interaction.
Product: Ivanti Endpoint Manager
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10573
NVD References: https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024
CVE-2025-11022 – Panilux is vulnerable to CSRF attacks, allowing for unauthorized Cross-Site Request Forgery.
Product: Panilux
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11022
NVD References: https://www.usom.gov.tr/bildirim/tr-25-0433
CVE-2025-12504 – TalentSoft Software UNIS is vulnerable to SQL Injection through improper neutralization of special elements before version 42321.
Product: TalentSoft Software UNIS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12504
CVE-2025-42880 – SAP Solution Manager is vulnerable to code injection by authenticated attackers through remote-enabled function modules, potentially granting full system control and severely impacting confidentiality, integrity, and availability.
Product: SAP Solution Manager
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42880
CVE-2025-42928 – SAP jConnect is vulnerable to deserialization attacks that enable high privileged users to execute remote code under specific conditions, posing a significant risk to system security.
Product: SAP jConnect
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42928
CVE-2025-67504 – WBCE CMS versions 1.6.4 and below use non-cryptographically secure password generation, potentially leading to compromised user accounts or privilege escalation.
Product: WBCE CMS
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67504
CVE-2025-54100 – Windows PowerShell allows unauthorized attackers to execute code locally due to improper neutralization of special elements in a command.
Product: Microsoft Windows PowerShell
CVSS Score: 7.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54100
ISC Diary: https://isc.sans.edu/diary/32550
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100
CVE-2025-59718 & CVE-2025-59719- Fortinet FortiOS, FortiProxy, and FortiSwitchManager have improper cryptographic signature verification vulnerabilities.
Product: Multipler Fortinet Products
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59718
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59719
NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-25-647
CVE-2025-64671 – Copilot is vulnerable to command injection, allowing unauthorized attackers to execute code locally.
Product: Microsoft Copilot
CVSS Score: 8.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64671
ISC Diary: https://isc.sans.edu/diary/32550
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64671
CVE-2025-67489 – The vulnerability in “@vitejs/plugin-rs” allows arbitrary remote code execution on development servers through unsafe dynamic imports in server function APIs, which could lead to data theft or modification.
Product: vitejs plugin-rs
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67489
CVE-2025-67494 – ZITADEL versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability due to treating the x-zitadel-forward-host header as a trusted fallback, allowing data exfiltration and bypassing network-segmentation controls.
Product: ZITADEL Login UI (V2)
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67494
CVE-2025-61808 – ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability allowing for arbitrary code execution by a high privileged attacker without user interaction.
Product: Adobe ColdFusion
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61808
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html
CVE-2025-61809 – ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are vulnerable to an Improper Input Validation flaw allowing security feature bypass, enabling unauthorized access without user interaction.
Product: Adobe ColdFusion
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61809
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html
CVE-2025-67506 – PipesHub’s vulnerability in versions prior to 0.1.0-beta allows remote attackers to overwrite files or plant malicious code by exploiting a missing authentication issue when converting uploaded files to PDF.
Product: PipesHub Workplace AI platform
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67506
CVE-2025-13542 – The DesignThemes LMS plugin for WordPress allows unauthenticated attackers to achieve Privilege Escalation by registering as administrators.
Product: DesignThemes LMS plugin for WordPress
Active Installations: Unknown. Update to version 1.0.5, or a newer patched version,
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13542
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve
CVE-2025-13486 – The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution through the prepare_form() function, allowing unauthenticated attackers to execute arbitrary code on the server.
Product: WordPress Advanced Custom Fields: Extended plugin
Active Installations: 100,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13486
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9?source=cve
CVE-2025-13342 – The Frontend Admin by DynamiApps plugin for WordPress allows unauthenticated attackers to modify critical WordPress options via crafted form data.
Product: DynamiApps Frontend Admin by DynamiApps plugin
Active Installations: 10,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13342
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/613f2035-3061-429b-b218-83805287e4f3?source=cve
CVE-2025-13390 – The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass due to a weak token generation mechanism, allowing unauthenticated attackers to gain administrative access and achieve full site takeover.
Product: WP Directory Kit WordPress
Active Installations: 3,000+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13390
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve
CVE-2025-13313 – The CRM Memberships plugin for WordPress is vulnerable to privilege escalation through password reset in versions up to, and including, 2.5, due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action, allowing unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the endpoint.
Product: WordPress CRM Memberships plugin
Active Installations: This plugin has been closed as of December 2, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13313
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/e2837399-c44f-494e-bdc6-f9c6e4e2dc11?source=cve
CVE-2025-12374 – The User Verification plugin for WordPress up to version 2.0.39 allows unauthenticated attackers to bypass authentication and log in as any user with a verified email address by submitting an empty OTP value.
Product: WordPress User Verification plugin
Active Installations: This plugin has been closed as of December 3, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12374
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve
CVE-2025-13377 – The 10Web Booster plugin for WordPress is vulnerable to arbitrary folder deletion by authenticated attackers with Subscriber-level access and above, potentially leading to data loss or denial of service.
Product: 10Web Booster – Website speed optimization plugin for WordPress
Active Installations: 90,000+
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13377
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve
CVE-2025-13613 – The Elated Membership plugin for WordPress up to version 1.2 is vulnerable to Authentication Bypass, allowing unauthenticated attackers to log in as administrative users through improper user verification functions.
Product: Elated Membership plugin for WordPress
Active Installations: Unknown. Update to version 1.3, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13613
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f15dbce4-2e94-4735-b62b-e32d923c51ce?source=cve