Blog Archives - BoWare IT Services

December 18, 2025December 19, 2025

@RISK: The Consensus Security Vulnerability Alert: Vol. 25, Num. 48

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

ClickFix Attacks Still Using the Finger
Published: 2025-12-13
Last Updated: 2025-12-13 19:35:30 UTC
by Brad Duncan (Version: 1)

Introduction

Since as early as November 2025, the finger protocol has been used in ClickFix social engineering attacks. BleepingComputer posted a report of this activity on November 15th, and Didier Stevens posted a short follow-up in an ISC diary the next day.

I often investigate two campaigns that employ ClickFix attacks: KongTuke and SmartApeSG. When I checked earlier this week on Thursday, December 11th, both campaigns used commands that ran finger.exe in Windows to retrieve malicious content.

So after nearly a month, ClickFix attacks are still giving us the finger …

Read the full entry: https://isc.sans.edu/diary/ClickFix+Attacks+Still+Using+the+Finger/32566/

Apple Patches Everything: December 2025 Edition
Published: 2025-12-12
Last Updated: 2025-12-12 19:53:36 UTC
by Johannes Ullrich (Version: 1)

Never release on a Friday. Unless you are Apple 🙂 Apple released updates for all of its operating systems today. These updates were expected for this week, a second release candidate being released on Monday made me think that they may wait a week to push the final product. This is a “step update” for the operating systems, including various small feature updates. Across Apple’s operating systems, the update fixes a total of 48 vulnerabilities. Two of the vulnerabilities are already actively exploited in targeted attacks.

Both exploited vulnerabilities affect WebKit and, with that, are exploitable by visiting a malicious webpage. WebKit is used by various software that displays HTML pages, not just Safari. The first vulnerability, CVE-2025-14174, is a use-after-free vulnerability. The second issue, CVE-2025-43529, allows for memory corruption. Apple does not state it in their brief advisories, but both issues can likely be used to execute arbitrary code. It is not clear if the vulnerabilities will also lead to sandbox escape.

In addition to the patches for the operating system, Apple also fixed its video processing tool “Compressor”. The patched vulnerability allows for remote code execution by an attacker on the local network. Compressor is an add-on software that is not included in the OS install. I doubt many users aside from video editors have it installed …

Read the full entry: https://isc.sans.edu/diary/Apple+Patches+Everything+December+2025+Edition/32564/

Abusing DLLs EntryPoint for the Fun
Published: 2025-12-12
Last Updated: 2025-12-12 05:08:36 UTC
by Xavier Mertens (Version: 1)

In the Microsoft Windows ecosystem, DLLs (Dynamic Load Libraries) are PE files like regular programs. One of the main differences is that they export functions that can be called by programs that load them. By example, to call RegOpenKeyExA(), the program must first load the ADVAPI32.dll. A PE files has a lot of headers (metadata) that contain useful information used by the loader to prepare the execution in memory. One of them is the EntryPoint, it contains the (relative virtual) address where the program will start to execute …

Read the full entry: https://isc.sans.edu/diary/Abusing+DLLs+EntryPoint+for+the+Fun/32562/

HOLIDAY HACK CHALLENGE

The 2025 SANS Holiday Hack Challenge is officially open!
Create your avatar, explore the new holiday adventure, and put your cybersecurity skills to the test through interactive challenges and puzzles. See if you’ve got what it takes to save the holidays.

– https://www.sans.org/cyber-ranges/holiday-hack-challenge

New Features This Year:

CTF-Only Mode – Jump straight into the technical action
Micro-Challenges – 10–15 min puzzles for quick, festive wins
Capstones – Longer, deeper challenges to truly level up

OTHER INTERNET STORM CENTER ENTRIES

Maybe a Little Bit More Interesting React2Shell Exploit (2025.12.17)
https://isc.sans.edu/diary/Maybe+a+Little+Bit+More+Interesting+React2Shell+Exploit/32578/

More React2Shell Exploits CVE-2025-55182 (2025.12.15)
https://isc.sans.edu/diary/More+React2Shell+Exploits+CVE202555182/32572/

Wireshark 4.6.2 Released (2025.12.14)
https://isc.sans.edu/diary/Wireshark+462+Released/32568/

Using AI Gemma 3 Locally with a Single CPU (2025.12.10)
https://isc.sans.edu/diary/Using+AI+Gemma+3+Locally+with+a+Single+CPU/32556/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-59718 – Fortinet FortiOS, FortiProxy, and FortiSwitchManager are vulnerable to improper cryptographic signature verification, allowing unauthenticated attackers to bypass FortiCloud SSO login authentication with a crafted SAML response.
Product: Multiple Fortinet products
CVSS Score: 9.8
** KEV since 2025-12-16 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59718
ISC Podcast: https://isc.sans.edu/podcastdetail/9742
NVD References:
– https://fortiguard.fortinet.com/psirt/FG-IR-25-647
– https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718

CVE-2025-59719 – Fortinet FortiWeb versions 8.0.0, 7.6.0 through 7.6.4, and 7.4.0 through 7.4.9 are susceptible to an improper verification of cryptographic signature vulnerability, potentially enabling an unauthenticated attacker to bypass FortiCloud SSO login authentication with a specially-crafted SAML response message.
Product: Fortinet Fortiweb
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59719
ISC Podcast: https://isc.sans.edu/podcastdetail/9742
NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-25-647

CVE-2025-14174 – Google Chrome on Mac prior to 143.0.7499.110 allows a remote attacker to perform out of bounds memory access via a crafted HTML page.
Product: Google Chrome
CVSS Score: 8.8
** KEV since 2025-12-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14174
ISC Diary: https://isc.sans.edu/diary/32564
NVD References:
– https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html
– https://issues.chromium.org/issues/466192044
– https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14174

CVE-2025-14611 – Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 have hardcoded values for AES cryptoscheme, posing a security risk with potential for arbitrary local file inclusion and system compromise.
Product: Gladinet CentreStack and Triofox
CVSS Score: 9.8
** KEV since 2025-12-15 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14611
NVD References:
– https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14611

CVE-2025-62221 – Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Product: Microsoft Windows Cloud Files Mini Filter Driver
CVSS Score: 7.8
** KEV since 2025-12-09 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62221
NVD References:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-62221

CVE-2018-4063 – Sierra Wireless AirLink ES450 FW 4.9.3 is vulnerable to an exploit that allows an attacker to upload and execute code on the webserver with an authenticated HTTP request to upload.cgi.
Product: Sierra Wireless Airlink ES450 Firmware
CVSS Score: 0
** KEV since 2025-12-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-4063
NVD References: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4063

CVE-2024-9042 – Windows worker nodes are vulnerable to CVE if running affected versions listed.
Product: Microsoft Windows
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9042
ISC Podcast: https://isc.sans.edu/podcastdetail/9734

CVE-2025-66481 – DeepChat is vulnerable to XSS attacks through improperly sanitized Mermaid content, with a recent security patch being insufficient and allowing for Remote Code Execution via electron.ipcRenderer interface.
Product: DeepChat
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66481

CVE-2025-67744 – DeepChat is vulnerable to Remote Code Execution through an XSS flaw in the Mermaid diagram rendering component.
Product: DeepChat Mermaid diagram rendering component
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67744

CVE-2025-10573 – Ivanti Endpoint Manager is vulnerable to Stored XSS attacks allowing remote unauthenticated attackers to execute arbitrary JavaScript in an administrator session with user interaction.
Product: Ivanti Endpoint Manager
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10573
NVD References: https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024

CVE-2025-11022 – Panilux is vulnerable to CSRF attacks, allowing for unauthorized Cross-Site Request Forgery.
Product: Panilux
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11022

CVE-2025-12504 – TalentSoft Software UNIS is vulnerable to SQL Injection through improper neutralization of special elements before version 42321.
Product: TalentSoft Software UNIS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12504

CVE-2025-14321 – Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146 and Firefox ESR < 140.6.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14321
NVD References:
– https://www.mozilla.org/security/advisories/mfsa2025-92/
– https://www.mozilla.org/security/advisories/mfsa2025-94/
– https://www.mozilla.org/security/advisories/mfsa2025-95/
– https://www.mozilla.org/security/advisories/mfsa2025-96/

CVE-2025-14324 – Firefox is affected by a JIT miscompilation vulnerability in its JavaScript Engine, impacting versions below 146 and ESR versions below 115.31 and 140.6.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14324
NVD References:
– https://www.mozilla.org/security/advisories/mfsa2025-92/
– https://www.mozilla.org/security/advisories/mfsa2025-93/
– https://www.mozilla.org/security/advisories/mfsa2025-94/
– https://www.mozilla.org/security/advisories/mfsa2025-95/
– https://www.mozilla.org/security/advisories/mfsa2025-96/

CVE-2025-14326 – Use-after-free in the Audio/Video: GMP component of Firefox and Thunderbird. This vulnerability affects versions < 146.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14326
NVD References:
– https://www.mozilla.org/security/advisories/mfsa2025-92/
– https://www.mozilla.org/security/advisories/mfsa2025-95/

CVE-2025-14330 – JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Product: Mozilla Firefox and Thunderbird
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14330
NVD References:
– https://www.mozilla.org/security/advisories/mfsa2025-92/
– https://www.mozilla.org/security/advisories/mfsa2025-94/
– https://www.mozilla.org/security/advisories/mfsa2025-95/
– https://www.mozilla.org/security/advisories/mfsa2025-96/

CVE-2025-42880 – SAP Solution Manager is vulnerable to code injection by authenticated attackers through remote-enabled function modules, potentially granting full system control and severely impacting confidentiality, integrity, and availability.
Product: SAP Solution Manager
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42880
NVD References: https://url.sap/sapsecuritypatchday

CVE-2025-42928 – SAP jConnect is vulnerable to deserialization attacks that enable high privileged users to execute remote code under specific conditions, posing a significant risk to system security.
Product: SAP jConnect
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42928
NVD References: https://url.sap/sapsecuritypatchday

CVE-2025-66565 – Fiber Utils had a vulnerability where it returned predictable UUID values if the cryptographic random number generator failed, compromising the security of applications using these functions until version 2.0.0-rc.4 fixed the issue.
Product: Gofiber Utils
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66565

CVE-2025-66567 & CVE-2025-66568 – The Ruby-SAML library up to and including version 1.12.4 is vulnerable to authentication bypass through =Signature Wrapping attacks.
Product: Ruby-SAML
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66567
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66568

CVE-2025-67504 – WBCE CMS versions 1.6.4 and below use non-cryptographically secure password generation, potentially leading to compromised user accounts or privilege escalation.
Product: WBCE CMS
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67504

CVE-2025-63742 – Xinhu Rainrock RockOA 2.7.0 is vulnerable to SQL Injection in the setwxqyAction function, allowing attackers to access sensitive information using the shouji and userid parameters.
Product: RockOA
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63742

CVE-2025-65882 – Openmptcprouter through version 0.64 allows attackers to write arbitrary files or execute arbitrary commands due to a vulnerability in the sys-upgrade-helper tool.
Product: openmptcprouter sys-upgrade-helper
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65882

CVE-2025-65741 – Sublime Text 3 Build 3208 or prior for MacOS allows for Dylib Injection, enabling an attacker to execute a compiled .dylib file within the application’s context.
Product: Sublime Text
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65741

CVE-2025-67489 – The vulnerability in “@vitejs/plugin-rs” allows arbitrary remote code execution on development servers through unsafe dynamic imports in server function APIs, which could lead to data theft or modification.
Product: vitejs plugin-rs
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67489

CVE-2025-67494 – ZITADEL versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability due to treating the x-zitadel-forward-host header as a trusted fallback, allowing data exfiltration and bypassing network-segmentation controls.
Product: ZITADEL Login UI (V2)
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67494

CVE-2025-61808, CVE-2025-61809, CVE-2025-61811 – Multiple vulnerabilities in Adobe ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier.
Product: Adobe ColdFusion
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61808
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61809
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61811
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html

CVE-2025-67506 – PipesHub’s vulnerability in versions prior to 0.1.0-beta allows remote attackers to overwrite files or plant malicious code by exploiting a missing authentication issue when converting uploaded files to PDF.
Product: PipesHub Workplace AI platform
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67506

CVE-2025-41730 & CVE-2025-41732 – Remote stack buffer overflow vulnerabilities in WAGO Industrial-Managed Switches
Product: WAGO Industrial-Managed Switches
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41730
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41732
NVD References: https://certvde.com/de/advisories/VDE-2025-095

CVE-2025-13184 – TOTOLINK X5000R V9.1.0u.6369_B20230113 allows unauthenticated Telnet enablement via cstecgi.cgi, leading to root access with a blank password and arbitrary command execution.
Product: TOTOLINK X5000R
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13184
NVD References: https://www.kb.cert.org/vuls/id/821724

CVE-2025-65792 – DataGear v5.5.0 is vulnerable to Arbitrary File Deletion.
Product: DataGear
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65792

CVE-2025-13607 – A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.
Product: D-Link
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13607
NVD References:
– https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10462
– https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-03

CVE-2025-64537 through CVE-2025-64539 – Adobe Experience Manager versions 6.5.23 and earlier are vulnerable to a DOM-based Cross-Site Scripting (XSS) flaws that allows for arbitrary code execution.
Product: Adobe Experience Manager
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64537
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64538
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64539
NVD References: https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html

CVE-2025-65820 – Multiple Vulnerabilities in Meatmeet Pro Android Mobile Application.
Product: Meatmeet Pro Android Mobile Application
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65820
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65823
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65826
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65827
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65830

CVE-2025-65294 – Aqara Hub devices have an undocumented remote access mechanism allowing unrestricted remote command execution.
Product: Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65294

CVE-2025-67510 – Neuron’s MySQLWriteTool in versions 2.8.11 and below allows for arbitrary SQL execution, posing a high-risk capability for prompt injection and potential execution of destructive queries.
Product: Neuron MySQLWriteTool
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67510

CVE-2025-67511 – Cybersecurity AI (CAI) is vulnerable to Command Injection through the run_ssh_command_with_credentials() function in versions 0.5.9 and below, allowing for unauthorized access to AI agents.
Product: Cybersecurity AI (CAI)
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67511

CVE-2025-14265 – ScreenConnect™ prior to version 25.8 allows unauthorized or administrative users to install and execute untrusted extensions, leading to potential server compromise or data access.
Product: ScreenConnect™
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14265
NVD References: https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch

CVE-2025-65473 – EasyImages 2.0 v2.8.6 and below allows arbitrary code execution by injecting a crafted payload into an uploaded file name in the /admin/filer.php component.
Product: EasyImages2.0 Project
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65473

CVE-2025-66043 through CVE-2025-66048 – The Biosig Project libbiosig 3.9.1 is vulnerable to stack-based buffer overflow issues.
Product: The Biosig Project libbiosig
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66043
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66044
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66045
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66046
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66047
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66048
NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296

CVE-2025-13780 – pgAdmin versions up to 9.10 are vulnerable to Remote Code Execution (RCE) when restoring PLAIN-format dump files, allowing attackers to execute arbitrary commands on the server.
Product: pgAdmin
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13780

CVE-2025-36937 – AudioDecoder has a vulnerability that could allow for remote code execution without user interaction due to an incorrect bounds check.
Product: Google Android
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36937
NVD References: https://source.android.com/security/bulletin/pixel/2025-12-01

CVE-2025-67728 – Fireshare allows users to self-host media and links, but versions 1.2.30 and below have a vulnerability that allows for Remote Code Execution via malicious filenames in uploaded video files.
Product: Fireshare
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67728

CVE-2025-58130 – Apache Fineract is vulnerable to Insufficiently Protected Credentials, impacting versions up to 1.11.0, with a fix available in version 1.12.1, but users are advised to upgrade to version 1.13.0.
Product: Apache Fineract
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58130
NVD References: https://lists.apache.org/thread/d9zpkc86zk265523tfvbr8w7gyr6onoy

CVE-2025-54947 – Apache StreamPark versions 2.0.0 through 2.1.7 contain a security vulnerability due to a hard-coded encryption key.
Product: Apache StreamPark
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54947
NVD References: https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1

CVE-2025-65854 – MineAdmin v3.x contains insecure permissions in the scheduled tasks feature allowing for arbitrary command execution and full account takeover.
Product: MineAdmin
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65854

CVE-2025-66430 – Plesk 18.0 has Incorrect Access Control.
Product: Plesk
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66430

CVE-2024-14010 – Typora 1.7.4 allows attackers to execute arbitrary system commands via a command injection vulnerability in the PDF export preferences.
Product: Typora
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-14010

CVE-2024-58299 – PCMan FTP Server 2.0 is vulnerable to a buffer overflow in the ‘pwd’ command, allowing remote attackers to execute arbitrary code by sending a specially crafted payload during the FTP login process.
Product: PCMan FTP Server 2.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-58299

CVE-2024-58311 – Dormakaba Saflok System 6000 is vulnerable to attackers deriving card access keys from a predictable key generation algorithm based on a 32-bit unique identifier.
Product: Dormakaba Saflok System 6000
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-58311

CVE-2025-14665 – Tenda WH450 1.0.0.18 is vulnerable to a remote stack-based buffer overflow attack by manipulating the argument page in the /goform/DhcpListClient file of the HTTP Request Handler component.
Product: Tenda WH450
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14665

CVE-2025-14705 through CVE-2025-14707 – Shiguangwu sgwbox N3 2.0.25 has multiple command injection vulnerabilities.
Product: Shiguangwu sgwbox N3
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14705
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14706
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14707

CVE-2025-14708 & CVE-2025-14709 – Shiguangwu sgwbox N3 2.0.25 has multiple buffer overflow vulnerabilities.
Product: Shiguangwu sgwbox N3
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14708
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14709

CVE-2025-13888 – OpenShift GitOps is vulnerable to a flaw that allows namespace admins to gain elevated permissions and potentially grant root access to the entire cluster.
Product: Red Hat OpenShift GitOps
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13888

CVE-2025-66844 – In grav <1.7.49.5, a SSRF vector can be triggered through Twig templates if undefined PHP functions are registered in the configuration.
Product: Grav
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66844

CVE-2025-66434 & CVE-2025-66438 – Frappe ERPNext through 15.89.0 has Server-Side Template Injection (SSTI) vulnerabilities.
Product: Frappe ERPNext
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66434
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66438

CVE-2025-66439 & CVE-2025-66440 – Frappe ERPNext through 15.89.0 has SQL Injection vulnerabilities.
Product: Frappe ERPNext
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66439
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66440

CVE-2025-65213 – MooreThreads torch_musa has an unsafe deserialization vulnerability in compare_tool, allowing for arbitrary code execution through crafted pickle files.
Product: MooreThreads torch_musa
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65213

CVE-2025-55895 – TOTOLINK A3300R and N200RE routers are vulnerable to Incorrect Access Control, allowing remote attackers to send payloads to the interface without logging in.
Product: TOTOLINK A3300R
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55895

CVE-2025-67515 – Mikado-Themes Wilmër wilmer is vulnerable to PHP Local File Inclusion through improper control of filename for include/require statement, impacting versions from n/a through < 3.5.
Product: Mikado-Themes Wilmër
Active Installations: Unknown. Update to version 3.5 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67515
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/wilmer/vulnerability/wordpress-wilmer-theme-3-5-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67516 – Store Locator WordPress plugin Agile Logix Store Locator allows Blind SQL Injection from versions n/a through 1.6.2.
Product: Agile Store Locator Store Locator WordPress
Active Installations: 10,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67516
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/agile-store-locator/vulnerability/wordpress-store-locator-wordpress-plugin-1-6-2-sql-injection-vulnerability?_s_id=cve

CVE-2025-67517 – ArtPlacer Widget is vulnerable to Blind SQL Injection from version n/a through 2.22.9.2.
Product: ArtPlacer Widget
Active Installations: 200+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67517
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/artplacer-widget/vulnerability/wordpress-artplacer-widget-plugin-2-22-9-2-sql-injection-vulnerability?_s_id=cve

CVE-2025-67518 – LambertGroup Accordion Slider PRO accordion_slider_pro is vulnerable to Blind SQL Injection, affecting versions from n/a through 1.2.
Product: LambertGroup Accordion Slider PRO
Active Installations: Unknown. Update to version 1.3 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67518
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/accordion_slider_pro/vulnerability/wordpress-accordion-slider-pro-plugin-1-2-sql-injection-vulnerability?_s_id=cve

CVE-2025-67519 – Ninja Tables ninja-tables allows SQL Injection via improper neutralization of special elements in SQL commands, affecting versions from n/a through <= 5.2.3.
Product: Shahjahan Ninja Tables
Active Installations: Unknown. Update to version 5.2.4 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67519
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-3-sql-injection-vulnerability?_s_id=cve

CVE-2025-67520 – Media Library Tools is vulnerable to SQL Injection through versions from n/a to 1.6.15, allowing attackers to manipulate special elements in commands.
Product: Tiny Media Library Tools
Active Installations: Unknown. Update to version 1.7.0 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67520
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/media-library-tools/vulnerability/wordpress-media-library-tools-plugin-1-6-15-sql-injection-vulnerability?_s_id=cve

CVE-2025-67521 – Select-Themes Select Core select-core is vulnerable to PHP Local File Inclusion from version n/a through < 2.6.
Product: Select-Themes Select Core
Active Installations: Unknown. Update to version 2.6 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67521
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/select-core/vulnerability/wordpress-select-core-plugin-2-6-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67522 – NooTheme Jobmonster noo-jobmonster allows PHP Remote File Inclusion from n/a through 4.8.2.
Product: NooTheme Jobmonster
Active Installations: Unknown. Update to version 4.8.3 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67522
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/noo-jobmonster/vulnerability/wordpress-jobmonster-theme-4-8-2-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67523 – trippleS Exhibz Exhibz allows PHP Local File Inclusion, posing a vulnerability from n/a through <= 3.0.9.
Product: trippleS Exhibz
Active Installations: Update to version 3.0.10 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67523
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/exhibz/vulnerability/wordpress-exhibz-theme-3-0-9-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67524 – Jobmonster Elementor Addon is susceptible to PHP Remote File Inclusion vulnerability allowing for PHP Local File Inclusion, affecting versions from n/a through 1.1.4.
Product: NooTheme Jobmonster Elementor Addon
Active Installations: Unknown. Update to version 1.1.5 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67524
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/jobmonster-addon/vulnerability/wordpress-jobmonster-elementor-addon-plugin-1-1-4-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67525 – Opal_WP ekommart ekommart allows PHP Local File Inclusion via improper control of filename for include/require statement.
Product: Opal_WP ekommart
Active Installations: Unknown. Update to version 4.3.1 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67525
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/ekommart/vulnerability/wordpress-ekommart-theme-4-3-1-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67526 – Sailing vulnerability in ThimPress allows PHP Local File Inclusion from n/a through < 4.4.6.
Product: ThimPress Sailing
Active Installations: Unknown.Update to version 4.4.6 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67526
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/sailing/vulnerability/wordpress-sailing-theme-4-4-6-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67527 – Digiqole version n/a through < 2.2.7 is vulnerable to PHP Remote File Inclusion (“Improper Control of Filename”) due to improper control of filename for include/require statement in PHP program.
Product: trippleS Digiqole
Active Installations: Unknown.Update to version 2.2.7 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67527
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/digiqole/vulnerability/wordpress-digiqole-theme-2-2-7-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67529 – Opal_WP Fashion fashion2 is vulnerable to PHP Local File Inclusion, which allows for improper control of the filename in include/require statements.
Product: Opal_WP Fashion
Active Installations: Unknown.Update to version 5.3.0 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67529
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/fashion2/vulnerability/wordpress-fashion-theme-5-3-0-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67530 – ThemBay Besa besa allows for PHP Local File Inclusion in versions n/a through 2.3.15, leading to improper control of filenames for the include/require statement in PHP programs.
Product: ThemBay Besa
Active Installations: Unknown. Update to version 2.3.16 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67530
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/besa/vulnerability/wordpress-besa-theme-2-3-15-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67532 – Hara: from n/a through <= 1.2.17 is vulnerable to PHP Remote File Inclusion allowing for improper control of file names in include/require statements.
Product: Thembay Hara
Active Installations: Unknown. Update to version 1.2.18 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67532
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-67531 – Turitor by trippleS allows PHP Local File Inclusion via improper control of filenames in the include/require statement.
Product: trippleS Turitor
Active Installations: Unknown. Update to version 1.5.3 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67531
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/turitor/vulnerability/wordpress-turitor-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-13613 – The Elated Membership plugin for WordPress up to version 1.2 is vulnerable to Authentication Bypass, allowing unauthenticated attackers to log in as administrative users through improper user verification functions.
Product: Elated Membership plugin for WordPress
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13613
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f15dbce4-2e94-4735-b62b-e32d923c51ce?source=cve

CVE-2025-13764 – The WP CarDealer plugin for WordPress allows unauthenticated attackers to gain administrator access through privilege escalation.
Product: WP CarDealer WordPress plugin
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13764
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f4893d9c-e039-43df-80b9-dbe42374caed?source=cve

CVE-2025-12963 – The LazyTasks plugin for WordPress is vulnerable to privilege escalation through account takeover, allowing unauthenticated attackers to manipulate user email addresses and gain unauthorized access to accounts and grant access to additional roles.
Product: LazyTasks Project & Task Management with Collaboration, Kanban and Gantt
Active Installations: This plugin has been closed as of December 10, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12963
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c6998185-0f9b-48ab-9dca-05adf5ae603a?source=cve

CVE-2025-14344 – The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation.
Product: WordPress Multi Uploader for Gravity Forms plugin
Active Installations: This plugin has been closed as of December 10, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14344
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/346af237-0411-4cc4-9544-eab697385a2f?source=cve

CVE-2025-10738 – The URL Shortener Plugin For WordPress plugin is vulnerable to SQL Injection through the ‘analytic_id’ parameter, allowing unauthenticated attackers to potentially extract sensitive information from the database.
Product: WordPress URL Shortener Plugin For WordPress
Active Installations: This plugin has been closed as of October 22, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10738
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/1b4acf11-114a-4e97-89cd-1d387f14a730?source=cve

CVE-2025-11693 – The Export WP Page to Static HTML & PDF plugin for WordPress allows unauthenticated attackers to access sensitive authentication cookies through publicly exposed cookies.txt files.
Product: WordPress Export WP Page to Static HTML & PDF plugin
Active Installations: 5,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11693
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/cd28ac3c-aaef-49e3-843d-8532404703c9?source=cve

CVE-2025-66131 – Yaad Sarig Payment Gateway For WC allows attackers to exploit incorrectly configured access control security levels, affecting versions from n/a through <= 2.2.10.
Product: Yaad Sarig Payment Gateway For WC
Active Installations: 2,000+
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66131
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/yaad-sarig-payment-gateway-for-wc/vulnerability/wordpress-yaad-sarig-payment-gateway-for-wc-plugin-2-2-10-broken-access-control-vulnerability?_s_id=cve

The following vulnerability needs a manual review:

CVE-2025-43529 – Apple iOS, iPadOS, macOS, and other Apple products contain a use-after-free vulnerability in WebKit. Processing maliciously crafted web content may lead to memory corruption. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing. Product: WebKit in Multiple Apple Products CVSS Score: ** KEV since 2025-12-15 ** NVD: N/A ISC Diary: https://isc.sans.edu/diary/Apple+Patches+Everything+December+2025+Edition/32564/ ISC Podcast: https://isc.sans.edu/podcastdetail/9738 References: https://support.apple.com/en-us/100100

December 11, 2025December 17, 2025

@RISK: The Consensus Security Vulnerability Alert: Vol. 25, Num. 47

INTERNET STORM CENTER SPOTLIGHT

Microsoft Patch Tuesday December 2025
Published: 2025-12-09
Last Updated: 2025-12-09 20:20:54 UTC
by Johannes Ullrich (Version: 1)

This release addresses 57 vulnerabilities. 3 of these vulnerabilities are rated critical. One vulnerability was already exploited, and two were publicly disclosed before the patch was released.

CVE-2025-62221: This privilege escalation vulnerability in the Microsoft Cloud Files Mini Filters driver is already being exploited.

CVE-2025-54100: A PowerShell script using Invoke-WebRequest may execute scripts that are included in the response. This is what Invoke-WebRequest is supposed to do. The patch adds a warning suggesting adding the -UseBasicParsing parameter to avoid executing scripts.

CVE-2025-64671: The GitHub Copilot plugin for JetBrains may lead to remote code execution. This is overall an issue with many AI code assistance as they have far-reaching access to the IDE.

The critical vulnerabilities are remote code execution vulnerabilities in Office and Outlook …

Read the full entry: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+December+2025/32550/

AutoIT3 Compiled Scripts Dropping Shellcodes
Published: 2025-12-05
Last Updated: 2025-12-05 07:12:12 UTC
by Xavier Mertens (Version: 1)

AutoIT3[1] is a powerful language that helps to built nice applications for Windows environments, mainly to automate tasks. If it looks pretty old, the latest version was released last September and it remains popular amongst developers, for the good… or the bad! Malware written in AutoIt3 has existed since the late 2000s, when attackers realized that the language was easy to learn (close to basic) but can also compiled into standalone PE files! From a malware point of view, such executables make an extended use of packed data, making them more stealthy.

If it became less popular, AutoIT3 is still used by some attackers. I found a sample yesterday that (ab)use a nice feature of the language. The sample was delivered in a ZIP archive, containing a PE file … The file has a VT score of 33/72.

The technique used by the threat actor relies on the function FileInstall(). Its purpose is to include a file into an executed script but… the behavior is subtle and depends on how the script is run. The script call this code …

Read the full entry: https://isc.sans.edu/diary/AutoIT3+Compiled+Scripts+Dropping+Shellcodes/32542/

Nation-State Attack or Compromised Government? [Guest Diary]
Published: 2025-12-04
Last Updated: 2025-12-04 02:34:40 UTC
by Guy Bruneau (Version: 1)

[This is a Guest Diary by Jackie Nguyen, an ISC intern as part of the SANS.edu BACS program]

The ISC internship didn’t just teach me about security, it changed how I thought about threats entirely. There’s something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That’s where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered!

The Beginning …
On November 10, 2025, my honeypot captured very interesting activity that really demonstrates how evolved modern threat actors are getting. What initially appeared to be a simple, but successful SSH brute force attempt quickly revealed itself as something far more concerning, a deployment of an advanced trojan designed for long-term persistence and evasion.

What happened?
Suspicious activity was detected when the IP address 103[.] … successfully SSH’d into my honeypot using the credentials username “root” and password “linux”. The bad actor maintained access to the honeypot for 1 minute and 45 seconds but ultimately ran no commands. Instead, the attacker uploaded a single file, a trojan binary named “sshd” designed to evade security detections by pretending to be the OpenSSH daemon. It was an Executable and Linkable Format (ELF) binary that was classified as malicious by VirusTotal and Hybrid-Analysis.

We won’t be able to see what the Trojan did on my honeypot at this time, however, I found the hash on Hybrid-Analysis and got a good idea of what the trojan does …

Read the full entry: https://isc.sans.edu/diary/NationState+Attack+or+Compromised+Government+Guest+Diary/32536/

HOLIDAY HACK CHALLENGE

The 2025 SANS Holiday Hack Challenge is officially open
Create your avatar, explore the new holiday adventure, and put your cybersecurity skills to the test through interactive challenges and puzzles. See if you’ve got what it takes to save the holidays.

– https://www.sans.org/cyber-ranges/holiday-hack-challenge

New Features This Year:

CTF-Only Mode – Jump straight into the technical action
Micro-Challenges – 10–15 min puzzles for quick, festive wins
Capstones – Longer, deeper challenges to truly level up

OTHER INTERNET STORM CENTER ENTRIES

Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection) (2025.12.10)
https://isc.sans.edu/diary/Possible+exploit+variant+for+CVE20249042+Kubernetes+OS+Command+Injection/32554/

Attempts to Bypass CDNs (2025.12.03)
https://isc.sans.edu/diary/Attempts+to+Bypass+CDNs/32532/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-55182 – React Server Components versions 19.0.0 to 19.2.0 are vulnerable to pre-authentication remote code execution via unsafe deserialization of payloads from HTTP requests.
Product: React
CVSS Score: 10.0
** KEV since 2025-12-05 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55182
ISC Podcast: https://isc.sans.edu/podcastdetail/9724
NVD References:
– https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
– https://www.facebook.com/security/advisories/cve-2025-55182
– http://www.openwall.com/lists/oss-security/2025/12/03/4
– https://news.ycombinator.com/item?id=46136026
– https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182

CVE-2025-62221 – Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Product: Microsoft Windows Cloud Files Mini Filter Driver
CVSS Score: 7.8
** KEV since 2025-12-09 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62221
ISC Diary: https://isc.sans.edu/diary/32550
NVD References:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-62221

CVE-2025-66644 – Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.
Product: Array Networks ArrayOS AG
CVSS Score: 7.2
** KEV since 2025-12-08 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66644
NVD References:
– https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/
– https://www.jpcert.or.jp/at/2025/at250024.html
– https://x.com/ArraySupport/status/1921373397533032590
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644

CVE-2025-48572 – Android Framework is vulnerable to background activity launching from multiple locations, allowing for local privilege escalation without the need for additional execution privileges or user interaction.
Product: Google Android
CVSS Score: 7.8
** KEV since 2025-12-02 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48572
NVD References:
– https://android.googlesource.com/platform/frameworks/base/+/e707f6600330691f9c67dc023c09f4cd2fc59192
– https://source.android.com/security/bulletin/2025-12-01
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48572

CVE-2025-48633 – Device Policy Manager Service in DevicePolicyManagerService.java allows for local escalation of privilege without additional execution privileges needed by adding a Device Owner after provisioning due to a logic error.
Product: Google Android
CVSS Score: 5.5
** KEV since 2025-12-02 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48633
NVD References:
– https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93
– https://source.android.com/security/bulletin/2025-12-01
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48633

CVE-2021-26828 – OpenPLC ScadaBR allows remote authenticated users to upload and execute arbitrary JSP files through view_edit.shtm.
Product: OpenPLC Project ScadaBR
CVSS Score: 0
** KEV since 2025-12-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-26828

CVE-2025-13872 – ObjectPlanet Opinio 7.26 rev12562 suffers from a Blind SSRF vulnerability in the survey-import feature, allowing attackers to force the server to make malicious HTTP GET requests.
Product: ObjectPlanet Opinio
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13872

CVE-2025-41742 & CVE-2025-41744 – Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 are vulnerable to unauthorized remote attacks due to default cryptographic keys..
Product: Sprecher Automations SPRECON-E Series
CVSS Scores: 9.8 and 9,1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41742
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41744
NVD References:
– https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf
– https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf

CVE-2025-41013 – TCMAN GIM v11 in version 20250304 is vulnerable to SQL injection, allowing attackers to manipulate databases using the ‘idmant’ parameter in ‘/PC/frmEPIS.aspx’.
Product: TCMAN GIM
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41013
NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2

CVE-2025-59693 – Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 have a vulnerability (F02) that allows a physically proximate attacker to obtain debug access and escalate privileges by bypassing tamper labels and opening the chassis without leaving evidence, and accessing the JTAG connector.
Product: Entrust nShield Connect XC
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59693

CVE-2025-59695 – Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an OS root user to alter firmware on the Chassis Management Board without Authentication, known as F04 vulnerability.
Product: Entrust nShield Connect XC
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59695

CVE-2025-59703 – Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access internal components without leaving tamper evidence, known as an F14 attack.
Product: Entrust nShield 5C
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59703

CVE-2025-65358 – Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the ‘docid’ parameter at /admin/appointment.php.
Product: Hashenudara Edoc-Doctor-Appointment-System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65358

CVE-2025-65656 – dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.
Product: Dcatadmin Dcat Admin
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65656

CVE-2025-58386 – Terminalfour 8 through 8.4.1.1 allows Power Users to escalate privileges by manipulating the userLevel parameter in user management functions.
Product: Terminalfour
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58386
NVD References: https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/

CVE-2025-60854 – D-Link R15 (AX1500) 1.20.01 and below is vulnerable to command injection via the model name parameter during a password change request in the web administrator page.
Product: D-Link R15
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60854
NVD References: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10473

CVE-2025-60736 -code-projects Online Medicine Guide 1.0 is vulnerable to SQL Injection in /login.php via the upass parameter.
Product: Anisha Online Medicine Guide
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60736
NVD References: https://github.com/WinDyAlphA/CVE-2025-60736

CVE-2025-65896 – SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys.
Product: Long2ice assyncmy
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65896

CVE-2025-65267 – ERPNext v15.83.2 and Frappe Framework v15.86.0 are vulnerable to stored cross-site scripting (XSS) via malicious JavaScript embedded in uploaded SVG avatar images, allowing for potential account takeover and compromise of the affected instance.
Product: ERPNext and Frappe Framework
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65267

CVE-2024-32641 – Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution via the addParam function, allowing an unauthenticated attacker to execute arbitrary code.
Product: Masa CMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32641

CVE-2025-66032 – Claude Code, an agentic coding tool, prior to version 1.0.93, allowed for arbitrary code execution by bypassing read-only validation, fixed in the latest update.
Product: Anthropic Claude_Code
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66032
NVD References: https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3

CVE-2025-66208 – Collabora Online – Built-in CODE Server prior to version 25.04.702 is vulnerable to Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy, putting users of Nextcloud with the app at risk.
Product: Collabora Online
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66208

CVE-2025-66222 – DeepChat is vulnerable to Stored Cross-Site Scripting (XSS) which can be escalated to Remote Code Execution (RCE) through the Electron IPC bridge.
Product: DeepChat
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66222

CVE-2025-64055 – Fanvil x210 V2 2.12.20 is vulnerable to an authentication bypass, enabling unauthenticated attackers on the local network to access administrative functions of the device.
Product: Fanvil x210
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64055

CVE-2025-64054 – Fanvil x210 2.12.20 devices are susceptible to reflected Cross Site Scripting (XSS) attacks, permitting attackers to execute commands or launch denial of service attacks.
Product: Fanvil x210
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64054

CVE-2025-65868 – EyouCMS v1.7.1 is vulnerable to XML external entity (XXE) injection, enabling remote attackers to cause a denial of service with a specially crafted POST request body.
Product: EyouCMS
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65868

CVE-2024-45538 – Synology DiskStation Manager (DSM) and Synology Unified Controller (DSMUC) are vulnerable to CSRF attacks, allowing remote attackers to execute arbitrary code.
Product: Synology Diskstation_Manager_Unified_Controller
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45538
NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_24_27

CVE-2025-53963 – Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices are vulnerable to root code execution due to a weak default password for the root account on an accessible SSH server.
Product: Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53963
NVD References:
– https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf
– https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf

CVE-2025-54303 – The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials stored as fixtures for the Django ORM API, allowing an attacker to authenticate with administrative privileges using the ionadmin user account and password ionadmin.
Product: Thermo Fisher Torrent Suite Django application
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54303
NVD References:
– https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf
– https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf

CVE-2025-54304 – Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices have a vulnerability that allows unauthorized access and potential execution of code due to an exposed X11 display server.
Product: Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54304
NVD References:
– https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf
– https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf

CVE-2025-65346 – Alexusmai Laravel-File-Manager 3.3.1 and below is vulnerable to Directory Traversal, allowing archive contents to be written to arbitrary locations on the filesystem.
Product: alexusmai Laravel-File-Manager
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65346

CVE-2025-63362 – Waveshare RS232/485 TO WIFI ETH (B) allows attackers to bypass authentication by setting blank Administrator password and username values.
Product: Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63362

CVE-2025-29268 – ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library.
Product: ALLNET ALL-RUT22GW
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29268

CVE-2025-29269 – ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint.
Product: ALLNET ALL-RUT22GW
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29269

CVE-2025-66570 – cpp-httplib prior to 0.27.0 allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions.
Product: cpp-httplib C++11 single-file header-only cross platform HTTP/HTTPS library
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66570

CVE-2025-27019 – Infinera MTC-9 version R22.1.1.0275 allows an attacker to gain system access by exploiting password-less user accounts and activating a reverse shell.
Product: Infinera MTC-9
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27019
NVD References: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27019

CVE-2025-27020 – Infinera MTC-9 is vulnerable to an unauthenticated attacker exploiting an improperly configured SSH service to execute arbitrary commands and access file system data.
Product: Infinera MTC-9
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27020
NVD References: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27020

CVE-2025-61318 – Emlog Pro 2.5.20 is vulnerable to arbitrary file deletion due to insufficient path verification and code filtering in the admin templates and plugins components.
Product: Emlog
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61318

CVE-2025-48626 – The vulnerable product allows for remote privilege escalation without additional execution privileges, as a result of a precondition check failure allowing for background application launch.
Product: Google Android
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48626
NVD References: https://source.android.com/security/bulletin/2025-12-01

CVE-2025-64081 – SourceCodester Patients Waiting Area Queue Management System v1 is vulnerable to SQL injection through the appointmentID parameter in /php/api_patient_schedule.php, allowing for the execution of arbitrary SQL commands by attackers.
Product: Pamzey Patients_Waiting_Area_Queue_Management_System 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64081

CVE-2025-54100 – Windows PowerShell allows unauthorized attackers to execute code locally due to improper neutralization of special elements in a command.
Product: Microsoft Windows PowerShell
CVSS Score: 7.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54100
ISC Diary: https://isc.sans.edu/diary/32550
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100

CVE-2025-59718 & CVE-2025-59719- Fortinet FortiOS, FortiProxy, and FortiSwitchManager have improper cryptographic signature verification vulnerabilities.
Product: Multipler Fortinet Products
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59718
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59719
NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-25-647

CVE-2025-64671 – Copilot is vulnerable to command injection, allowing unauthorized attackers to execute code locally.
Product: Microsoft Copilot
CVSS Score: 8.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64671
ISC Diary: https://isc.sans.edu/diary/32550
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64671

CVE-2025-61808 – ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability allowing for arbitrary code execution by a high privileged attacker without user interaction.
Product: Adobe ColdFusion
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61808
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html

CVE-2025-61809 – ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are vulnerable to an Improper Input Validation flaw allowing security feature bypass, enabling unauthorized access without user interaction.
Product: Adobe ColdFusion
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61809
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html

CVE-2025-13542 – The DesignThemes LMS plugin for WordPress allows unauthenticated attackers to achieve Privilege Escalation by registering as administrators.
Product: DesignThemes LMS plugin for WordPress
Active Installations: Unknown. Update to version 1.0.5, or a newer patched version,
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13542
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve

CVE-2025-13486 – The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution through the prepare_form() function, allowing unauthenticated attackers to execute arbitrary code on the server.
Product: WordPress Advanced Custom Fields: Extended plugin
Active Installations: 100,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13486
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9?source=cve

CVE-2025-13342 – The Frontend Admin by DynamiApps plugin for WordPress allows unauthenticated attackers to modify critical WordPress options via crafted form data.
Product: DynamiApps Frontend Admin by DynamiApps plugin
Active Installations: 10,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13342
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/613f2035-3061-429b-b218-83805287e4f3?source=cve

CVE-2025-13390 – The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass due to a weak token generation mechanism, allowing unauthenticated attackers to gain administrative access and achieve full site takeover.
Product: WP Directory Kit WordPress
Active Installations: 3,000+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13390
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve

CVE-2025-13313 – The CRM Memberships plugin for WordPress is vulnerable to privilege escalation through password reset in versions up to, and including, 2.5, due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action, allowing unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the endpoint.
Product: WordPress CRM Memberships plugin
Active Installations: This plugin has been closed as of December 2, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13313
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/e2837399-c44f-494e-bdc6-f9c6e4e2dc11?source=cve

CVE-2025-12374 – The User Verification plugin for WordPress up to version 2.0.39 allows unauthenticated attackers to bypass authentication and log in as any user with a verified email address by submitting an empty OTP value.
Product: WordPress User Verification plugin
Active Installations: This plugin has been closed as of December 3, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12374
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve

CVE-2025-13377 – The 10Web Booster plugin for WordPress is vulnerable to arbitrary folder deletion by authenticated attackers with Subscriber-level access and above, potentially leading to data loss or denial of service.
Product: 10Web Booster – Website speed optimization plugin for WordPress
Active Installations: 90,000+
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13377
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve

CVE-2025-13613 – The Elated Membership plugin for WordPress up to version 1.2 is vulnerable to Authentication Bypass, allowing unauthenticated attackers to log in as administrative users through improper user verification functions.
Product: Elated Membership plugin for WordPress
Active Installations: Unknown. Update to version 1.3, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13613
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f15dbce4-2e94-4735-b62b-e32d923c51ce?source=cve

December 4, 2025

@RISK: The Consensus Security Vulnerability Alert: Vol. 25, Num. 46

INTERNET STORM CENTER SPOTLIGHT

[Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads
Published: 2025-12-02
Last Updated: 2025-12-01 23:27:08 UTC
by James Woodworth, SANS.edu BACS Student (Version: 1)

[This is a Guest Diary by James Woodworth, an ISC intern as part of the SANS.edu Bachelor’s Degree in Applied Cybersecurity (BACS) program.

In July 2025, many of us were introduced to the Microsoft SharePoint exploit chain known as ToolShell. ToolShell exploits the deserialization and authentication bypass vulnerabilities, CVE-2025-53770 and CVE-2025-53771, in on-premises SharePoint Server 2016, 2019, and Subscription editions. When the exploit chain was initially introduced, threat actors used payloads that attempted to upload web shells to a SharePoint server’s file system. The problem for threat actors was that the uploaded web shells were easily detectable by most Endpoint Detection and Response (EDR) solutions. So the threat actors upped the game and reworked their payloads to execute in-memory. This new technique made it more difficult for defenders to detect the execution of these new payloads.

Many articles have been written on the technical details of the ToolShell vulnerabilities, so I won’t go into an in-depth analysis here. If you want an in-depth analysis, check out the Securelist article, ToolShell: a story of five vulnerabilities in Microsoft SharePoint. What I will present to you in this post is a process using Zeek Network Security Monitor, DaemonLogger, and Wireshark to hunt for in-memory ToolShell exploit payloads and how to decode them for further analysis.

Review Zeek Logs
The first step in the hunt is to review the HTTP requests to our SharePoint server. We will do this by reviewing our Zeek http logs and looking for POST requests that contain the following indicators of a malicious request …

Red the full entry: https://isc.sans.edu/diary/Guest+Diary+Hunting+for+SharePoint+InMemory+ToolShell+Payloads/32524/

Conflicts between URL mapping and URL based access control
Published: 2025-11-24
Last Updated: 2025-11-24 16:54:38 UTC
by Johannes Ullrich (Version: 1)

We continue to encounter high-profile vulnerabilities related to the use of URL mapping (or “aliases”) with URL-based access control. Last week, we wrote about the Oracle Identity Manager vulnerability. I noticed some scans for an older vulnerability with similar roots today …

This request attempts to exploit a vulnerability in Hitachi Vantara Pentaho Business Analytics Server (CVE-2022-43939 and CVE-2022-43769). In this case, the end of the URL (/require[.]js) bypasses authentication. However, the request is still processed by “ldapTreeNodeChildren”, which is vulnerable to a template injection, causing the code to be executed. As last week, it appears that the “Chicago Rapper” Rondo botnet is again exploiting this vulnerability.

However, let’s examine the underlying cause of this issue.

For many applications, it makes sense to exempt certain URLs from authentication. For example, help pages, a password reset page, or a customer support contact page may need to be accessible even if the user is not logged in.

Webservers offer a wide range of options to map URLs to files on the web server’s file system. For example, for our API, we use this directive in Apache’s configuration …

Red the full entry: https://isc.sans.edu/diary/Conflicts+between+URL+mapping+and+URL+based+access+control/32518/

Use of CSS stuffing as an obfuscation technique?
Published: 2025-11-21
Last Updated: 2025-11-21 09:48:20 UTC
by Jan Kopriva (Version: 1)

From time to time, it can be instructive to look at generic phishing messages that are delivered to one’s inbox or that are caught by basic spam filters. Although one usually doesn’t find much of interest, sometimes these little excursions into what should be a run-of-the-mill collection of basic, commonly used phishing techniques can lead one to find something new and unusual. This was the case with one of the messages delivered to our handler inbox yesterday …

Red the full entry: https://isc.sans.edu/diary/Use+of+CSS+stuffing+as+an+obfuscation+technique/32510/

HOLIDAY HACK CHALLENGE

– https://www.sans.org/cyber-ranges/holiday-hack-challenge

New Features This Year:

CTF-Only Mode – Jump straight into the technical action
Micro-Challenges – 10–15 min puzzles for quick, festive wins
Capstones – Longer, deeper challenges to truly level up

OTHER INTERNET STORM CENTER ENTRIES

YARA-X 1.10.0 Release: Fix Warnings (2025.11.23)
https://isc.sans.edu/diary/YARAX+1100+Release+Fix+Warnings/32514/

Wireshark 4.4.1 Released (2025.11.23)
https://isc.sans.edu/diary/Wireshark+441+Released/32512/

Oracle Identity Manager Exploit Observation from September (CVE-2025-61757) (2025.11.20)
https://isc.sans.edu/diary/Oracle+Identity+Manager+Exploit+Observation+from+September+CVE202561757/32506/

CVE-2025-53770 – Microsoft SharePoint Server is vulnerable to code execution by unauthorized attackers through deserialization of untrusted data, with an exploit already in the wild for CVE-2025-53770.
Product: Microsoft SharePoint Server
CVSS Score: 0
** KEV since 2025-07-20 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53770
ISC Diary: https://isc.sans.edu/diary/32524

CVE-2025-53771 – Microsoft Office SharePoint is susceptible to path traversal which could enable a spoofing attack over a network.
Product: Microsoft Office SharePoint
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53771
ISC Diary: https://isc.sans.edu/diary/32524

CVE-2025-48633 – Android Framework contains an unspecified vulnerability that allows for information disclosure. Product: Android Framework
CVSS Score: N/A
** KEV since 2025-12-02 **
CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-48633 (Reserved)
ISC Podcast: https://isc.sans.edu/podcastdetail/9720
References: https://source.android.com/docs/security/bulletin/2025-12-01

CVE-2025-48572 – Android Framework contains an unspecified vulnerability that allows for privilege escalation.
Product: Android Framework
CVSS Score: N/A
** KEV since 2025-12-02 **
CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-48572 (Reserved)
ISC Podcast: https://isc.sans.edu/podcastdetail/9720
References: https://source.android.com/docs/security/bulletin/2025-12-01

CVE-2025-58360 – GeoServer versions 2.26.0 to 2.26.2 and 2.25.6 are vulnerable to an XML External Entity (XXE) exploit through the /geoserver/wms endpoint allowing attackers to define external entities within XML requests.
Product: GeoServer
CVSS Score: 8.2
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58360
ISC Podcast: https://isc.sans.edu/podcastdetail/9718
NVD References:
– https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525
– https://osgeo-org.atlassian.net/browse/GEOS-11682

CVE-2025-60739 – Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 – 2025_07_21 is vulnerable to CSRF, allowing remote attackers to execute arbitrary code via the /bh_web_backend component.
Product: Ilevia EVE X1 Server Firmware
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60739

CVE-2025-63729 – Syrotech SY-GPON-1110-WDONT allows attackers to extract sensitive SSL information from firmware.
Product: Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63729

CVE-2025-33187 – NVIDIA DGX Spark GB10 has a vulnerability in SROOT, allowing attackers with privileged access to potentially execute code, disclose information, tamper with data, disrupt services, or escalate privileges.
Product: NVIDIA DGX OS
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-33187
NVD References:
– https://nvidia.custhelp.com/app/answers/detail/a_id/5720
– https://www.cve.org/CVERecord?id=CVE-2025-33187

CVE-2025-65084 – Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior are vulnerable to an Out-of-Bounds Write flaw that could lead to information disclosure or code execution.
Product: Ashlar-Vellum
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65084
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01

CVE-2025-65085 – Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior are vulnerable to a Heap-based Buffer Overflow flaw that could lead to data disclosure or code execution.
Product: Ashlar-Vellum
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65085
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01

CVE-2025-61168 – SIGB PMB v8.0.1.14 is vulnerable to remote code execution through unserializing arbitrary files in cms_rest.php.
Product: SIGB PMB
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61168

CVE-2025-64063 – Primakon Pi Portal 1.0.18 API endpoints lack sufficient authorization checks, allowing standard users to bypass UI restrictions, manipulate data outside their scope, and potentially compromise data integrity and confidentiality.
Product: Primakon Project Contract Management
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64063

CVE-2025-51742 through CVE-2025-51746 – JSH_ERP 2.3.1 by jishenghua is vulnerable to Fastjson deserialization
Product: JSH_ERP
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51742
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51743
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51744
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51745
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51746

CVE-2025-64656 – Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network.
Product: Microsoft Application Gateway
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64656
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64656

CVE-2025-64657 – Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network.
Product: Microsoft Azure Application Gateway
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64657
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64657

CVE-2025-66022 – FACTION allows unauthenticated users to upload malicious extensions that can execute arbitrary system commands on the host running Faction before version 1.7.1, enabling remote code execution (RCE).
Product: FACTION PenTesting Report Generation and Collaboration Framework
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66022

CVE-2025-59390 – Apache Druid’s Kerberos authenticator vulnerability allows for weak fallback secrets to be generated by `ThreadLocalRandom`, potentially enabling attackers to predict or brute force authentication cookies, leading to token forgery or authentication bypass.
Product: Apache Druid Kerberos authenticator
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59390
NVD References: http://www.openwall.com/lists/oss-security/2025/11/26/1

CVE-2025-62354 – Cursor allows unauthorized attackers to execute arbitrary code by improperly handling special elements in OS commands, leading to command injections.
Product: Cursor
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62354

CVE-2025-65236 – OpenCode Systems USSD Gateway OC Release: 5 is vulnerable to SQL injection via the Session ID parameter in the /occontrolpanel/index.php endpoint.
Product: OpenCode Systems USSD Gateway OC
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65236

CVE-2025-55469 – Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
Product: youlai youlai-boot
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55469

CVE-2025-64126 – The application is vulnerable to OS command injection due to lack of proper input validation, allowing attackers to inject arbitrary commands.
Product: Zenitel TCIV-3+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64126
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-64127 – The vulnerable product allows unauthenticated attackers to execute arbitrary commands remotely by incorporating user-supplied input into OS commands without proper validation.
Product: Zenitel TCIV-3+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64127
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-64128 – The vulnerable product is susceptible to OS command injection due to inadequate validation of user inputs, potentially enabling attackers to insert arbitrary commands.
Product: Zenitel TCIV-3+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64128
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-64130 – Zenitel TCIV-3+ is susceptible to a reflected cross-site scripting vulnerability, enabling remote attackers to run malicious JavaScript on victims’ browsers.
Product: Zenitel TCIV-3+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64130
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-26155 – NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.
Product: NCP Secure Enterprise Client 13.18
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26155

CVE-2025-65669 – classroomio 0.1.13 allows students to delete courses from the Explore page without proper authorization, bypassing admin-only restrictions.
Product: classroomio 0.1.13
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65669

CVE-2025-50433 – Imonnit.com (2025-04-24) is vulnerable to malicious actors gaining escalated privileges and taking over arbitrary user accounts through a crafted password reset.
Product: Imonnit.com
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50433

CVE-2025-65276 – HashTech project is vulnerable to unauthenticated administrative access, allowing attackers to take full control of the admin dashboard and perform various malicious activities.
Product: HashTech
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65276

CVE-2025-40934 – XML-Sig versions 0.27 through 0.67 incorrectly validate XML files if signatures are omitted, allowing attackers to pass verification checks by removing the signature from the XML document.
Product: XML-Sig Perl
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40934

CVE-2025-12419 – Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 are vulnerable to an issue where an authenticated attacker with team creation privileges can take over a user account by manipulating authentication data during the OAuth completion flow.
Product: Mattermost
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12419

CVE-2025-12421 – Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 have a vulnerability that allows an authenticated user to perform account takeover via a specially crafted email address when switching authentication methods.
Product: Mattermost
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12421

CVE-2025-64314 – Permission control vulnerability in the memory management module.
Impact: Successful exploitation of this vulnerability may affect confidentiality.
Product: Huawei Harmonyos
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64314

CVE-2025-65112 – PubNet is vulnerable to an identity spoofing and privilege escalation issue in version 1.1.3 due to unauthenticated users being able to upload packages as any user by providing arbitrary author-id values.
Product: PubNet Dart & Flutter package service
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65112

CVE-2025-35028 – HexStrike AI MCP server allows attackers to execute commands with root privileges by providing a command-line argument starting with a semi-colon to an API endpoint created by the EnhancedCommandExecutor class.
Product: HexStrike AI MCP server
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-35028

CVE-2025-12106 – OpenVPN fails to properly validate arguments, leading to a heap buffer over-read vulnerability.
Product: OpenVPN
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12106

CVE-2025-63525 – Blood Bank Management System 1.0 is vulnerable to authenticated attackers gaining elevated privileges through a crafted request in delete.php.
Product: Shridharshukl Blood_Bank_Management_System 1.0
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63525

CVE-2025-63531 – Blood Bank Management System 1.0’s receiverLogin.php component is vulnerable to SQL injection, enabling attackers to bypass authentication and access the system through manipulation of user-supplied input.
Product: Shridharshukl Blood_Bank_Management_System 1.0
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63531

CVE-2025-63532 – Blood Bank Management System 1.0’s cancel.php component allows attackers to inject SQL code through the search field, bypass authentication, and gain unauthorized access.
Product: Shridharshukl Blood_Bank_Management_System 1.0
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63532

CVE-2025-63535 – Blood Bank Management System 1.0 abs.php allows attackers to inject SQL code through the search field, leading to unauthorized system access.
Product: Shridharshukl Blood_Bank_Management_System 1.0
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63535

CVE-2025-3500 – Avast Antivirus (25.1.981.6) on Windows is vulnerable to Integer Overflow and Privilege Escalation before version 25.3.
Product: Avast Antivirus
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3500

CVE-2025-8351 – Avast Antivirus on MacOS is vulnerable to a Heap-based Buffer Overflow, Out-of-bounds Read issue during file scanning, potentially enabling Local Code Execution or Denial-of-Service of the antivirus engine process between versions 8.3.70.94 and 8.3.70.98.
Product: Avast Antivirus
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8351

CVE-2025-51682 – mJobtime 15.7.2 has a client-side authorization vulnerability allowing attackers to modify code and access administrative features.
Product: mJobtime 15.7.2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51682

CVE-2025-65836 – PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController.
Product: PublicCMS
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65836

CVE-2025-66401 – MCP Watch is vulnerable to command injection in the cloneRepo method due to user-supplied githubUrl not being sanitized before passing to execSync.
Product: MCP Watch
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66401

CVE-2025-41742 – Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 are vulnerable to unauthorized remote attacks due to default cryptographic keys, enabling attackers to manipulate projects and data or access devices through remote maintenance.
Product: Sprecher Automations SPRECON-E series
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41742
NVD References: https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf

CVE-2025-41744 – Sprecher Automations SPRECON-E series has default cryptographic keys that can be exploited by remote attackers, compromising data confidentiality and integrity.
Product: Sprecher Automations SPRECON-E series
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41744
NVD References: https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf

CVE-2025-6389 – The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 8.3 via the sneeit_articles_pagination_callback() function, allowing unauthenticated attackers to execute code on the server and potentially create new administrative user accounts.
Product: WordPress Sneeit Framework plugin
Active Installations: Unknown. Update to version 8.4, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6389
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve

CVE-2025-13559 – The EduKart Pro plugin for WordPress allows unauthenticated attackers to gain administrator access by exploiting a Privilege Escalation vulnerability.
Product: EduKart Pro WordPress
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13559
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve

CVE-2025-13595 – The CIBELES AI plugin for WordPress allows unauthenticated attackers to upload arbitrary files, leading to potential remote code execution.
Product: CIBELES AI plugin for WordPress
Active Installations: Unknown. Update to version 1.10.9, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13595
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e89a1c-7606-4391-a389-fa18d0967046?source=cve

CVE-2025-13538 – The FindAll Listing plugin for WordPress allows unauthenticated attackers to gain administrator access by exploiting a Privilege Escalation vulnerability in versions up to 1.0.5.
Product: WordPress FindAll Listing plugin
Active Installations: Unknown. Update to version 1.1, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13538
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/14981949-271c-4f98-a6a1-b00619f1436d?source=cve

CVE-2025-13539 – The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4, allowing unauthenticated attackers to potentially log in as administrative users.
Product: WordPress FindAll Membership plugin
Active Installations: Unknown. Update to version 1.1, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13539
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/a856a96a-68d2-462d-b523-840668980807?source=cve

CVE-2025-13540 – The Tiare Membership plugin for WordPress permits Privilege Escalation up to version 1.2 by allowing unauthenticated attackers to register as administrators through the ‘tiare_membership_init_rest_api_register’ function.
Product: Tiare Membership plugin for WordPress
Active Installations: Unknown. Update to version 1.3, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13540
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6cf01a38-1fba-4c93-b3fa-acfdd5b19410?source=cve

CVE-2025-13675 – The Tiger theme for WordPress is vulnerable to Privilege Escalation allowing unauthenticated attackers to register as administrators.
Product: WordPress Tiger theme
Active Installations: Unknown
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13675
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/4750b57e-7d8d-49d7-bbbf-46483eb97bd9?source=cve

CVE-2025-13615 – The StreamTube Core plugin for WordPress allows unauthenticated attackers to change user passwords and potentially take over administrator accounts due to a vulnerability in versions up to 4.78.
Product: StreamTube WordPress Core plugin
Active Installations: Unknown. Update to version 4.79, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13615
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve

CVE-2025-13542 – The DesignThemes LMS plugin for WordPress allows unauthenticated attackers to achieve Privilege Escalation by registering as administrators.
Product: DesignThemes LMS plugin for WordPress
Active Installations: Unknown. Update to version 1.0.5, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13542
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve