Category: Blog

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

How to collect memory-only filesystems on Linux systems
Published: 2025-10-29
Last Updated: 2025-10-29 04:53:31 UTC
by Jim Clausing (Version: 1)

I’ve been doing Unix/Linux IR and Forensics for a long time. I logged into a Unix system for the first time in 1983. That’s one of the reasons I love teaching FOR577, because I have stories that go back to before some of my students were even born that are still relevant today.

In recent years, I’ve noticed a lot of attackers try to hide their tools or stage their data exfiltration in memory-only filesystems …

Unfortunately, you can’t just dd these tmpfs filesystems. There is no block device backing it that will let you take a forensically sound image. So, if I want to get all of the metadata and the contents of any files the attacker may have stashed there, I’m going to need to try something else. Fortunately, after thinking about it a bit, I came up with a method that worked for me. I even talked it over briefly with Hal Pomeranz and we couldn’t come up with anything better. When I was thinking about this about a year ago, I did a quick Google search and didn’t see anyone else having talked about this, but I’d be surprised if others haven’t come up with the same idea.

The basic idea is to first collect the metadata (inode contents), then collect the file contents, since doing it in the other order would cause the access timestamp in the inode to be updated. Since I came up with this technique, I’ve used it on dozens (probably 100+) of systems with pretty good success. I have run into a handful that didn’t have the stat command, so I could only collect the contents, but not the inode metadata. You deal with what the system has available …

Read the full entry: https://isc.sans.edu/diary/How+to+collect+memoryonly+filesystems+on+Linux+systems/32432/

A phishing with invisible characters in the subject line
Published: 2025-10-28
Last Updated: 2025-10-28 10:12:32 UTC
by Jan Kopriva (Version: 1)

While reviewing malicious messages that were delivered to our handler inbox over the past few days, I noticed that the “subject” of one phishing e-mail looked quite strange when displayed in the Outlook message list …

As you can see, once the message was open, the subject was displayed as a normal, readable text. This suggested that some invisible characters were likely present.

A quick look at the e-mail headers proved this to be the case …

Read the full entry: https://isc.sans.edu/diary/A+phishing+with+invisible+characters+in+the+subject+line/32428/

Bytes over DNS
Published: 2025-10-27
Last Updated: 2025-10-27 09:10:01 UTC
by Didier Stevens (Version: 1)

I was intrigued when Johannes talked about malware that uses BASE64 over DNS to communicate. Take a DNS request like this: label1[.]label2[.]tld. Labels in a request like this can only be composed with letters (not case-sensitive), digits and a hyphen character (-). While BASE64 is encoded with letters (uppercase and lowercase), digits and special characters + and /. And also a special padding character: =.

So when sticking to the standards, it is not possible to use BASE64 in a label. What happens when we don’t stick to the standards?

So I wanted to know what byte values I could transmit over DNS when using third-party DNS infrastructure over which I have no control, like my ISP, CloudFlare, Google, …

Here is a schema …

Read the full entry: https://isc.sans.edu/diary/Bytes+over+DNS/32420/

OTHER INTERNET STORM CENTER ENTRIES

Kaitai Struct WebIDE (2025.10.26)
https://isc.sans.edu/diary/Kaitai+Struct+WebIDE/32422/

Phishing Cloud Account for Information (2025.10.23)
https://isc.sans.edu/diary/Phishing+Cloud+Account+for+Information/32416/

Infostealer Targeting Android Devices (2025.10.23)
https://isc.sans.edu/diary/Infostealer+Targeting+Android+Devices/32414/

webctrl.cgi/Blue Angel Software Suite Exploit Attempts. Maybe CVE-2025-34033 Variant? (2025.10.22)
https://isc.sans.edu/diary/webctrlcgiBlue+Angel+Software+Suite+Exploit+Attempts+Maybe+CVE202534033+Variant/32410/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-59287 – Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
Product: Microsoft Windows Server Update Service
CVSS Score: 0
** KEV since 2025-10-24 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59287
ISC Podcast: https://isc.sans.edu/podcastdetail/9670

CVE-2025-54236 – Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are vulnerable to an Improper Input Validation issue, allowing attackers to achieve session takeover without requiring user interaction.
Product: Adobe Commerce
CVSS Score: 0
** KEV since 2025-10-24 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54236
ISC Podcast: https://isc.sans.edu/podcastdetail/9670

CVE-2025-40780 – BIND is vulnerable to PRNG weakness allowing attackers to predict source ports and query IDs in certain circumstances.
Product: ISC BIND
CVSS Score: 8.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40780
ISC Podcast: https://isc.sans.edu/podcastdetail/9670
NVD References: https://kb.isc.org/docs/cve-2025-40780

CVE-2025-34033 – Blue Angel Software Suite on embedded Linux devices is vulnerable to OS command injection via the ping_addr parameter in the webctrl.cgi script, allowing authenticated attackers to execute arbitrary commands as the root user.
Product: Blue Angel Software Suite
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-34033
ISC Podcast: https://isc.sans.edu/podcastdetail/9668

CVE-2025-6542 – An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.
Product: TP-Link ER8411
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6542
NVD References: https://support.omadanetworks.com/en/document/108455/

CVE-2025-7851 – An attacker may obtain the root shell on the underlying OS system with the restricted conditions on Omada gateways.
Product: TP-Link FR307-M2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7851
NVD References: https://support.omadanetworks.com/en/document/108456/

CVE-2025-10640 – WorkExaminer server has a vulnerability where an unauthenticated attacker with access to TCP port 12306 can bypass authentication checks in the Professional console to gain administrative access.
Product: WorkExaminer Professional
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10640

CVE-2025-60772 – NETLINK HG322G V1.0.00-231017 is vulnerable to improper authentication, allowing a remote attacker to escalate privileges and lock out the legitimate administrator.
Product: NETLINK HG322G
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60772

CVE-2025-53037 – Oracle Financial Services Analytical Applications Infrastructure product is vulnerable to an easily exploitable attack that allows unauthorized access and potential takeover of the system.
Product: Oracle Financial Services Analytical Applications Infrastructure
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53037
NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-53072 & CVE-2025-62481 – Oracle Marketing in Oracle E-Business Suite (component: Marketing Administration) versions 12.2.3-12.2.14 is vulnerable to easily exploitable attacks by unauthenticated attackers via HTTP, potentially leading to a complete takeover of Oracle Marketing with a CVSS Base Score of 9.8.
Product: Oracle Marketing
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53072
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62481
NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-61757 – The vulnerability in the Identity Manager product of Oracle Fusion Middleware allows an unauthenticated attacker to compromise the system and potentially take it over.
Product: Oracle Identity Manager
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61757
NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-41723 – importFile SOAP method in SOAP is vulnerable to directory traversal, allowing unauthenticated remote attackers to upload files to arbitrary locations.
Product: importFile SOAP method
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41723

CVE-2025-56447 – TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
Product: TM2 Monitoring v3.04
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56447

CVE-2025-57870 – Esri ArcGIS Server versions 11.3, 11.4, and 11.5 on various platforms are vulnerable to SQL Injection, allowing remote attackers to execute arbitrary commands and potentially access, modify, or delete data.
Product: Esri ArcGIS Server
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57870
NVD References: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch

CVE-2025-47699 – Gallagher Morpho integration is vulnerable to exposure of sensitive system information, allowing authenticated operators to make critical changes to local devices.
Product: Gallagher Morpho Integration
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47699
NVD References: https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-47699

CVE-2025-11023 – AcBakImzala before v5.1.4 allows PHP Local File Inclusion.
Product: ArkSigner Software and Hardware Inc. AcBakImzala
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11023
NVD References: https://www.usom.gov.tr/bildirim/tr-25-0356

CVE-2025-58428 – The TLS4B ATG system’s SOAP-based interface can be exploited by remote attackers with valid credentials to execute system-level commands and potentially gain full control over the underlying Linux system.
Product: Veeder-Root TLS4B ATG system
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58428
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-03

CVE-2025-59503 – Server-side request forgery (ssrf) in Azure Compute Gallery allows an authorized attacker to elevate privileges over a network.
Product: Azure Compute Gallery
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59503
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59503

CVE-2025-61934 – Productivity Suite software version v4.4.1.19 is vulnerable to an unrestricted IP address binding, enabling unauthenticated remote attackers to manipulate files and folders on the target machine via the ProductivityService PLC simulator.
Product: AutomationDirect Productivity Suite
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61934
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01

CVE-2025-11253 – Netty ERP by Aksis Technology Inc. is vulnerable to SQL Injection in versions before V.1.1000.
Product: Aksis Technology Inc. Netty ERP
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11253

CVE-2025-43995 – Dell Storage Center – Dell Storage Manager version 20.1.21 has an Improper Authentication vulnerability allowing unauthenticated remote attackers to bypass protection mechanisms and authenticate as special users in compellentservicesapi.
Product: Dell Storage Center
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43995
NVD References: https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities

CVE-2025-60548, CVE-2025-60553, & CVE-2025-60554 – D-Link DIR600LAx FW116WWb01 was discovered to contain buffer overflow vulnerabilities.
Product: D-Link DIR-600LAx
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60548
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60553
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60554

CVE-2025-60803 – Antabot White-Jotter contains an unauthenticated remote code execution vulnerability.
Product: Antabot White-Jotter
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60803

CVE-2025-62717 – Emlog Pro version 2.5.23 is vulnerable to a session verification code error that allows for reuse of the code in email verification processes, fixed in commit 1f726df.
Product: Emlog Pro
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62717

CVE-2025-10561 – The device is running an outdated operating system, which may be susceptible to known vulnerabilities.
Product: SICK TLOC100-100 all firmware versions
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10561
NVD References:
– https://sick.com/psirt
– https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0013.pdf

CVE-2025-60291 – eTimeTrackLite Web thru 12.0 (20250704) is vulnerable to unauthorized attackers accessing specific routes and modifying database connection configurations due to a permission control flaw.
Product: eTimeTrackLite Web
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60291

CVE-2025-61481 – MikroTik RouterOS v.7.14.2 and SwitchOS v.2.18 are vulnerable to remote code execution through the HTTP-only WebFig management component.
Product: MikroTik RouterOS
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61481

CVE-2025-27224 – TRUfusion Enterprise through 7.10.4.0 has a vulnerability that permits path traversal sequences to be utilized for uploading files, potentially enabling the execution of arbitrary code.
Product: TRUfusion Enterprise
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27224

CVE-2025-55754 – Apache Tomcat is vulnerable to improper neutralization of escape, meta, or control sequences, allowing an attacker to manipulate the console and clipboard via specially crafted URLs.
Product: Apache Tomcat
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55754

CVE-2025-61385 – tlocke pg8000 1.31.4 is vulnerable to SQL injection through crafted Python list input.
Product: tlocke pg8000
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61385

CVE-2025-62516 – TurboTenant property listing activation workflow has a vulnerability in API endpoints that could expose sensitive business metadata.
Product: VivaTurbo Rentals & Property Services Landlord Onboarding & Rental Signup
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62516

CVE-2025-36386 – IBM Maximo Application Suite versions 9.0.0 through 9.1.4 could allow remote attackers to bypass authentication and gain unauthorized access.
Product: IBM Maximo Application Suite
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36386
NVD References: https://www.ibm.com/support/pages/node/7249416

CVE-2025-62368 – Taiga is vulnerable to remote code execution in versions 6.8.3 and earlier due to unsafe data deserialization, with a fix available in version 6.9.0.
Product: Taiga API
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62368

CVE-2025-64095 – DNN (formerly DotNetNuke) version prior to 10.1.1 allows unauthenticated file uploads and images to overwrite existing files, leading to possible website defacement and XSS injection vulnerabilities.
Product: DNN (formerly DotNetNuke)
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64095

CVE-2025-4665 – WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 is vulnerable to pre-authentication SQL injection and insecure deserialization, allowing for remote exploitation without authentication through crafted input.
Product: WordPress Contact Form CFDB7
Active Installations: 600,000+
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4665
NVD References: https://wordpress.org/plugins/contact-form-cfdb7

CVE-2025-10916 – The FormGent WordPress plugin before 1.0.4 allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation.
Product: FormGent WordPress plugin
Active Installations: 800
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10916
NVD References: https://wpscan.com/vulnerability/81c23998-1abb-495f-890a-79624a4cab9a/

CVE-2025-48106 – CMSSuperHeroes Clanora allows unrestricted upload of dangerous files, posing a risk of using malicious files; affecting versions from n/a through < 1.3.1.
Product: CMSSuperHeroes Clanora
Active Installations: Unknown. Update to version 1.3.1 or later.
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48106
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/clanora/vulnerability/wordpress-clanora-theme-1-3-1-arbitrary-file-upload-vulnerability

CVE-2025-49060 – CMSSuperHeroes Wastia contains a vulnerability that allows attackers to upload a web shell to a web server.
Product: CMSSuperHeroes Wastia
Active Installations: Unknown. Update to version 1.1.3 or later.
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49060
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/wastia/vulnerability/wordpress-wastia-theme-1-1-3-arbitrary-file-upload-vulnerability

CVE-2025-49901 – Simple Link Directory qc-simple-link-directory allows Authentication Abuse due to an Alternate Path or Channel vulnerability, affecting versions from n/a through < 14.8.1.
Product: quantumcloud Simple Link Directory
Active Installations: 2,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49901
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/qc-simple-link-directory/vulnerability/wordpress-simple-link-directory-plugin-14-8-1-broken-authentication-vulnerability

CVE-2025-49915 – Cozy Vision SMS Alert Order Notifications sms-alert is prone to SQL Injection from version n/a through <= 3.8.5.
Product: Cozy Vision SMS Alert Order Notifications
Active Installations: 4,000+
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49915
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-8-5-sql-injection-vulnerability

CVE-2025-49931 – CrocoBlock JetSearch allows Blind SQL Injection vulnerability in versions n/a through <= 3.5.10.
Product: CrocoBlock JetSearch
Active Installations: Unknown. Update to version 3.5.10.1 or later.
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49931
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-10-sql-injection-vulnerability

CVE-2025-52741 – Barry Kooij Post Connector is vulnerable to Reflected XSS due to improper input neutralization, affecting versions from n/a through <= 1.0.11.
Product: Barry Kooij Post Connector
Active Installations: 100+
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52741
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/post-connector/vulnerability/wordpress-post-connector-plugin-1-0-11-cross-site-scripting-xss-vulnerability

CVE-2025-52758 – Zippy allows unrestricted upload of dangerous file types, enabling the use of malicious files, impacting versions from n/a through 1.7.0.
Product: Gesundheit Bewegt GmbH Zippy
Active Installations: 10,000+
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52758
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/zippy/vulnerability/wordpress-zippy-plugin-1-7-0-arbitrary-file-upload-vulnerability

CVE-2025-58963 – 7oroof Medcity allows unrestricted upload of dangerous file types which can result in the uploading of a web shell to the web server, affecting versions from n/a through <1.1.9.
Product: 7oroof Medcity
Active Installations: Unknown. Update to version 1.1.9 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58963
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/medcity/vulnerability/wordpress-medcity-theme-1-1-9-arbitrary-file-upload-vulnerability

CVE-2025-59557 – Learts Addons allows SQL Injection in versions prior to 1.7.5.
Product: ThemeMove Learts Addons
Active Installations: Unknown. Update to version 1.7.5 or later.
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59557
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/learts-addons/vulnerability/wordpress-learts-addons-plugin-1-7-5-sql-injection-vulnerability

CVE-2025-60039 – Deserialization of Untrusted Data vulnerability in rascals Noisa allows Object Injection. This issue affects Noisa: from n/a through <= 2.6.0.
Product: rascals Noisa
Active Installations: Unknown. Update to version 2.6.3 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60039
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/noisa/vulnerability/wordpress-noisa-theme-2-6-0-php-object-injection-vulnerability

CVE-2025-60206 – Alone allows Code Injection, affecting versions from n/a through 7.8.3.
Product: Bearsthemes Alone
Active Installations: Unknown.
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60206
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/alone/vulnerability/wordpress-alone-theme-7-8-3-remote-code-execution-rce-vulnerability

CVE-2025-60209 – Connector for Gravity Forms and Google Sheets wp-gravity-forms-spreadsheets is vulnerable to Object Injection via Deserialization of Untrusted Data in versions from n/a through <= 1.2.6.
Product: CRM Perks Connector for Gravity Forms and Google Sheets
Active Installations: 3,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60209
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/wp-gravity-forms-spreadsheets/vulnerability/wordpress-connector-for-gravity-forms-and-google-sheets-plugin-1-2-5-php-object-injection-vulnerability

CVE-2025-60210 – Everest Forms – Frontend Listing everest-forms-frontend-listing is vulnerable to Object Injection via Deserialization of Untrusted Data in versions from n/a through 1.0.5.
Product: Everest Forms – Frontend Listing
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60210
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/everest-forms-frontend-listing/vulnerability/wordpress-everest-forms-frontend-listing-plugin-1-0-5-php-object-injection-vulnerability

CVE-2025-60213 – Deserialization of Untrusted Data vulnerability in Whitebox-Studio Scape allows Object Injection. This issue affects Scape: from n/a through <= 1.5.13.
Product: Whitebox-Studio Scape
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60213
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/scape/vulnerability/wordpress-scape-theme-1-5-13-php-object-injection-vulnerability

CVE-2025-60214 – Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt allows Object Injection. This issue affects Goldenblatt: from n/a through <= 1.2.1.
Product: BoldThemes Goldenblatt
Active Installations: Unknown. Update to version 1.3.0 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60214
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/goldenblatt/vulnerability/wordpress-goldenblatt-theme-1-2-1-php-object-injection-vulnerability

CVE-2025-60216 – Deserialization of Untrusted Data vulnerability in BoldThemes Addison allows Object Injection. This issue affects Addison: from n/a through <= 1.4.2.
Product: BoldThemes Addison
Active Installations: Unknown. Update to version 1.4.8 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60216
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/addison/vulnerability/wordpress-addison-theme-1-4-2-php-object-injection-vulnerability

CVE-2025-60220 – Incorrect Privilege Assignment vulnerability in pebas CouponXxL allows Privilege Escalation.This issue affects CouponXxL: from n/a through <= 3.0.0.
Product: pebas CouponXxL
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60220
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/couponxxl/vulnerability/wordpress-couponxxl-theme-3-0-0-privilege-escalation-vulnerability

CVE-2025-60221 – captivatesync-trade in captivateaudio Captivate Sync allows Object Injection through deserialization of untrusted data, affecting versions up to 3.0.3.
Product: captivateaudio Captivate Sync
Active Installations: 1,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60221
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/captivatesync-trade/vulnerability/wordpress-captivate-sync-plugin-3-0-3-php-object-injection-vulnerability

CVE-2025-60224 – Subscribe to Download plugin for WordPress allows for Object Injection through deserialization of untrusted data, affecting versions from n/a through 2.0.9.
Product: wpshuffle Subscribe to Download
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60224
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/subscribe-to-download/vulnerability/wordpress-subscribe-to-download-plugin-2-0-9-php-object-injection-vulnerability

CVE-2025-60225 – Deserialization of Untrusted Data vulnerability in AncoraThemes BugsPatrol bugspatrol allows Object Injection. This issue affects BugsPatrol: from n/a through <= 1.5.0.
Product: AncoraThemes BugsPatrol
Active Installations: Unknown
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60225
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/bugspatrol/vulnerability/wordpress-bugspatrol-theme-1-5-0-php-object-injection-vulnerability

CVE-2025-60226 – White Rabbit whiterabbit is vulnerable to Object Injection through deserialization of untrusted data, impacting versions from n/a through 1.5.2.
Product: axiomthemes White Rabbit
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60226
NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/whiterabbit/vulnerability/wordpress-white-rabbit-theme-1-5-2-php-object-injection-vulnerability

CVE-2025-60232 – KBx Pro Ultimate knowledgebase-helpdesk-pro is vulnerable to Object Injection through deserialization of untrusted data, affecting versions from n/a through <= 8.0.5.
Product: quantumcloud KBx Pro Ultimate
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60232
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/knowledgebase-helpdesk-pro/vulnerability/wordpress-kbx-pro-ultimate-plugin-8-0-5-php-object-injection-vulnerability

CVE-2025-62023 – s2Member is vulnerable to improper control of code generation, allowing for code injection from versions n/a through <= 250905.
Product: Cristián Lávaque s2Member
Active Installations: 10,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62023
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/s2member/vulnerability/wordpress-s2member-plugin-250905-remote-code-execution-rce-vulnerability

CVE-2025-62025 – Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch. This issue affects JobSearch: from n/a through < 3.0.8.
Product: eyecix JobSearch
Active Installations: Unknown. Update to version 3.0.8 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62025
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/wp-jobsearch/vulnerability/wordpress-jobsearch-plugin-3-0-8-php-object-injection-vulnerability

CVE-2025-6440 – The WooCommerce Designer Pro plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code.
Product: WooCommerce Designer Pro plugin
Active Installations: Unknown.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6440
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/cc2f8da1-7503-45e3-8a7d-0031ce264edf?source=cve

CVE-2025-62892 – Sunshine Photo Cart is vulnerable to Missing Authorization, allowing access to functionality not properly constrained by ACLs in versions n/a through 3.5.3.
Product: Sunshine Photo Cart
Active Installations: 1,000+
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62892
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-5-3-broken-access-control-vulnerability

CVE-2025-62908 – Podlove Web Player podlove-web-player is vulnerable to Missing Authorization, allowing unauthorized access to functionality not properly restricted by ACLs.
Product: Podlove Web Player gerritvanaaken
Active Installations: 5,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62908
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/podlove-web-player/vulnerability/wordpress-podlove-web-player-plugin-5-9-1-broken-access-control-vulnerability

CVE-2025-62919 – TS Demo Importer: Missing Authorization vulnerability allows attackers to exploit incorrectly configured access control security levels, affecting versions from n/a through 0.1.2.
Product: themeshopy TS Demo Importer
Active Installations: 100+
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62919
NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/ts-demo-importer/vulnerability/wordpress-ts-demo-importer-plugin-0-1-2-broken-access-control-vulnerability

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

TikTok Videos Promoting Malware Installation
Published: 2025-10-17
Last Updated: 2025-10-17 16:23:40 UTC
by Xavier Mertens (Version: 1)

Attackers are everywhere! They try to abuse victims using new communication channels and social engineering techniques! Somebody pointed my to the following Tik-Tok video: hxxps://vm[.]tiktok[.]com/ZGdaCkbEF/.

The author pretends to provide you an easy way to activate Photoshop for free …

Note that the video has already been liked more than 500 times!

The technique is similar to the ClickFix attack scenario. The victim is asked to start a PowerShell as administrator and execute a one-liner …

Read the full entry: https://isc.sans.edu/diary/TikTok+Videos+Promoting+Malware+Installation/32380/

What time is it? Accuracy of pool.ntp.org.
Published: 2025-10-21
Last Updated: 2025-10-22 12:42:06 UTC
by Johannes Ullrich (Version: 1)

Yesterday, Chinese security services published a story alleging a multi-year attack against the systems operating the Chinese standard time (CST), sometimes called Beijing Standard Time. China uses only one time zone across the country, and has not used daylight saving time since 1991. Most operating systems use UTC internally and display local time zones for user convenience. Modern operating systems use NTP to synchronize time. Popular implementations are ntpd and chrony. The client will poll several servers, disregard outliers, and usually sync with the “best” time server based on latency and jitter detected.

Based on the “Beijing Time Incident”, let’s review options to synchronize your network’s clocks. One popular option is to use the NTP “Pool”, “pool[.]ntp[.]org”, or a subset of this pool (like north-america[.]pool[.]ntp[.]org or aisa[.]pool[.]ntp[.]org). Currently, ntppool[.]org counts 5788 participants, which is impressive. ntppool[.]org monitors the servers and recently upgraded its monitoring system. Participating servers are assigned scores, which are then used to rank them in the pool. The open nature of the NTP Pool project has sometimes led to questions about the reliability and safety of the pool. Shodan, for example, added systems with IPv6 addresses to the NTP Pool to identify IPv6 addresses worthy of scanning.

We have published a list of IP addresses in the NTP Pool for a few years. We obtain this list from DNS lookups and some from our honeypot data. NTP servers can trigger false positives with firewalls that have difficulty managing UDP “state”. You can use our API to retrieve the current list we identified …

Read the full entry: https://isc.sans.edu/diary/What+time+is+it+Accuracy+of+poolntporg/32390/

New DShield Support Slack
Published: 2025-10-16
Last Updated: 2025-10-17 14:42:46 UTC
by Johannes Ullrich (Version: 1)

This week, we set up a new Slack workspace for DShield.org. This workspace replaces the old workspace we originally configured back in 2016 or 2017. The workspace was originally configured as a free workspace to support the DShield.org community. Over the years, it has had a good following and a good amount of traffic.

Sadly, we learned that none of the “S” in SaaS stands for security or privacy. A couple of years ago, the SANS Institute decided to purchase an enterprise license for its Slack workspace. The details have been lost to time and to a complete turnover of contacts at Slack and now Salesforce. But our DShield.org workspace ended up as part of the Enterprise account, leading to an inflated subscription fee for SANS. As “Owner” of the DShield.org Slack, I was never asked to have the DShield.org Slack merged with the SANS account. As far as I can tell, nobody from SANS asked for it. This was not the only Slack affected. Several smaller Slack workspaces created by SANS instructors for their personal use were merged as well.

Salesforce, the current owner of the Slack brand, offered two options: Keep paying for the Slack workspace (several $ per month per user) or create a new workspace. They repeatedly denied that there is any other option. SANS did consult with me about how to move forward, and I did interact with several contacts at Salesforce to attempt to verify what exactly happened. But none of the Salesforce contacts were familiar with what exactly happened in part due to high turnover. I got various conflicting answers, but they remained consistent in being unable to “undo” the switch that turned the DShield.org workspace into an enterprise account.

SANS did offer to pay the inflated fee, but I do not think it is right to just roll over and pay. Instead, I started a new Slack this week. You can find it here …

Read the full entry: https://isc.sans.edu/diary/New+DShield+Support+Slack/32376/

OTHER INTERNET STORM CENTER ENTRIES

Using Syscall() for Obfuscation/Fileless Activity (2025.10.20)
https://isc.sans.edu/diary/Using+Syscall+for+ObfuscationFileless+Activity/32384/

Microsoft Patch Tuesday October 2025 (2025.10.14)
https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+October+2025/32368/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-20352 – Cisco IOS Software and Cisco IOS XE Software are vulnerable to a DoS attack and potential code execution by an attacker with low or high privileges through the SNMP subsystem.
Product: Cisco IOS Software and Cisco IOS XE Software
CVSS Score: 0
** KEV since 2025-09-29 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20352
ISC Podcast: https://isc.sans.edu/podcastdetail/9660

CVE-2025-24990 – Agere Modem driver has a vulnerability which will be removed in a upcoming update resulting in non-functioning fax modem hardware on Windows.
Product: Microsoft Windows 10 1507
CVSS Score: 7.8
** KEV since 2025-10-14 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24990
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24990

CVE-2025-59230 – Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
Product: Microsoft Windows 10 1507
CVSS Score: 7.8
** KEV since 2025-10-14 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59230
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59230

CVE-2016-7836 – SKYSEA Client View Ver.11.221.03 and earlier is vulnerable to remote code execution due to a flaw in processing authentication on the TCP connection.
Product: Skygroup Skysea_Client_View
CVSS Score: 0
** KEV since 2025-10-14 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-7836

CVE-2025-42910 – SAP Supplier Relationship Management is vulnerable to arbitrary file uploads, allowing attackers to potentially execute malicious code and significantly compromise system security.
Product: SAP Supplier Relationship Management
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42910

CVE-2025-42937 – SAPSprint allows unauthenticated attackers to overwrite system files by traversing to parent directories, compromising confidentiality, integrity, and availability.
Product: SAP Print Service (SAPSprint)
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42937

CVE-2025-46581 – ZTE’s ZXCDN product is susceptible to a Struts remote code execution vulnerability allowing unauthenticated attackers to execute commands remotely.
Product: ZTE ZXCDN
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46581

CVE-2025-40765 – TeleControl Server Basic V3.1 (All versions >= V3.1.2.2 < V3.1.2.3) is vulnerable to an information disclosure flaw that allows unauthenticated remote attackers to access password hashes and perform authenticated actions in the database service.
Product: Siemens Telecontrol Server Basic
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40765
NVD References: https://cert-portal.siemens.com/productcert/html/ssa-062309.html

CVE-2025-40771 – SIMATIC CP 1542SP-1, SIMATIC CP 1542SP-1 IRC, SIMATIC CP 1543SP-1, SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, SIPLUS ET 200SP CP 1543SP-1 ISEC, and SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL devices are vulnerable to unauthorized configuration data access due to a lack of proper authentication.
Product: Siemens SIMATIC CP 1542SP-1, SIMATIC CP 1542SP-1 IRC, SIMATIC CP 1543SP-1, SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, SIPLUS ET 200SP CP 1543SP-1 ISEC, SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40771
NVD References: https://cert-portal.siemens.com/productcert/html/ssa-486936.html

CVE-2025-10610 – Winsure allows Blind SQL Injection through Version dated 21.08.2025.
Product: SFS Consulting Information Processing Industry and Foreign Trade Inc. Winsure
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10610

CVE-2025-11708 – Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11708

CVE-2025-11709 – Firefox and Thunderbird are vulnerable to out of bounds reads and writes triggered by a compromised web process using manipulated WebGL textures.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11709

CVE-2025-11710 – Firefox and Thunderbird versions prior to 144 and 140.4 are vulnerable to revealing blocks of memory due to compromised web processes using malicious IPC messages.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11710

CVE-2025-11717 – Firefox displays a black screen instead of the password edit screen when switching between Android apps in the card carousel.
Product: Mozilla Firefox
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11717

CVE-2025-11719 – Firefox versions before 144 and Thunderbird versions before 144 are vulnerable to memory corruption from use-after-free issues in the native messaging API on Windows.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11719

CVE-2025-11721 – Firefox 143 and Thunderbird 143 have a memory safety bug affecting versions below 144, potentially allowing for arbitrary code execution.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11721

CVE-2025-49708 – Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network.
Product: Microsoft Graphics Component
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49708
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49708

CVE-2025-55315 – ASP.NET Core allows an authorized attacker to bypass a security feature over a network due to inconsistent interpretation of http requests.
Product: Microsoft ASP.NET Core
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55315
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315

CVE-2025-59287 – Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
Product: Microsoft Windows Server Update Service
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59287
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

CVE-2025-49553 – Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability allowing attackers to execute malicious scripts in a victim’s browser.
Product: Adobe Connect
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49553
NVD References: https://helpx.adobe.com/security/products/connect/apsb25-70.html

CVE-2025-56749 – Creativeitem Academy LMS up to and including 6.14 is vulnerable to authentication bypass and unauthorized access via a hardcoded default JWT secret.
Product: Creativeitem Academy LMS
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56749
NVD References: https://suryadina.com/academy-lms-jwt-secret-7k9m2x4p8q/

CVE-2025-62583 – Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
Product: Navercorp Whale
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62583

CVE-2025-41018 – Sergestec’s Exito v8.0 is vulnerable to SQL injection, allowing attackers to manipulate databases through the ‘cat’ parameter in ‘/public.php’.
Product: Sergestec Exito
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41018
NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sergestec-products

CVE-2025-54539 – The Apache ActiveMQ NMS AMQP Client is vulnerable to deserialization of untrusted data, allowing for potential arbitrary code execution on the client side.
Product: Apache ActiveMQ NMS AMQP Client
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54539
NVD References: https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n

CVE-2025-10611 – WSO2 Products are vulnerable to insufficient access control implementation, potentially allowing unauthorized users to bypass authentication and authorization checks on certain REST APIs, leading to possible unauthorized administrative access and operations.
Product: WSO2 Products
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10611
NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/

CVE-2025-9152 – WSO2 API Manager is vulnerable to improper privilege management, allowing malicious users to generate access tokens with elevated privileges and potentially gain administrative access.
Product: WSO2 Api Control Plane
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9152
NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4483/

CVE-2025-9804 – WSO2 products have an improper access control vulnerability in internal SOAP Admin Services and System REST APIs, allowing low-privileged users to perform unauthorized operations and access server-level information.
Product: WSO2 products
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9804
NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/

CVE-2025-61922 – PrestaShop Checkout’s Express Checkout feature prior to versions 4.4.1 and 5.0.5 allows silent login, enabling account takeover via email with no known workarounds.
Product: PrestaShop Checkout
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61922

CVE-2025-62586 – OPEXUS FOIAXpress allows a remote, unauthenticated attacker to reset the administrator password. Fixed in FOIAXpress version 11.13.2.0.
Product: OPEXUS FOIAXpress
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62586

CVE-2025-11492 – ConnectWise Automate Agent allows for HTTP communication instead of HTTPS, leaving room for interception, modification, or replay attacks by on-path threat actors, prompting an update in Automate 2025.9 to enforce HTTPS for all agent communications.
Product: ConnectWise Automate Agent
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11492
NVD References: https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix

CVE-2025-11900 – The iSherlock by HGiga is vulnerable to OS Command Injection, permitting unauthorized remote attackers to execute arbitrary commands on the server.
Product: HGiga iSherlock
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11900
NVD References: https://www.twcert.org.tw/en/cp-139-10441-00aaf-2.html

CVE-2025-11849 – Mammoth versions before 1.11.0 are vulnerable to Directory Traversal, allowing attackers to read arbitrary files on the system or cause excessive resource consumption via crafted docx files containing external image links.
Product: org.zwobble Mammoth
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11849

CVE-2023-28814 – iSecure Center Product by Hikvision has an improper file upload control vulnerability that allows attackers to upload malicious files due to lack of verification.
Product: Hikvision iSecure Center
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28814

CVE-2023-28815 – Hikvision’s iSecure Center product is prone to a command injection vulnerability due to insufficient parameter validation, potentially allowing attackers to gain platform privileges and execute malicious commands.
Product: Hikvision iSecure Center
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28815
NVD References: https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/2023-04/

CVE-2025-49655 – Keras framework is vulnerable to deserialization of untrusted data in versions 3.11.0 up to 3.11.3, allowing for the execution of arbitrary code from maliciously uploaded Keras files with TorchModuleWrapper class.
Product: Keras framework
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49655

CVE-2025-57567 – PluXml CMS theme editor is vulnerable to remote code execution through the minify.php file, allowing authenticated administrators to execute system commands.
Product: PluXml CMS theme editor
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57567

CVE-2025-60279 – Illia Cloud illia-Builder before v4.8.5 allows authenticated users to send arbitrary requests to internal services via the API, potentially enabling them to enumerate open ports and interact with internal services.
Product: Illia Cloud illia-Builder
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60279

CVE-2025-62353 – Windsurf IDE allows threat actors to read and write arbitrary local files in and outside of current projects due to a path traversal vulnerability.
Product: Windsurf IDE
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62353

CVE-2025-62168 – Squid caching proxy is vulnerable to information disclosure due to a failure to redact HTTP authentication credentials in error handling, potentially allowing remote clients to learn authentication credentials used by trusted clients.
Product: Squid caching proxy
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62168

CVE-2025-56218 – An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.
Product: SigningHub v8.6.8
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56218

CVE-2025-56221 – SigningHub v8.6.8 is vulnerable to brute force attacks due to a lack of rate limiting in its login mechanism.
Product: SigningHub v8.6.8
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56221

CVE-2025-56316 – MCMS 5.5.0 is vulnerable to SQL injection in the content_title parameter of the /cms/content/list endpoint, allowing remote attackers to execute arbitrary SQL queries.
Product: MCMS 5.5.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56316

CVE-2025-62515 – Pyquokka framework is vulnerable to remote code execution through pickle.loads() deserialization in multiple functions.
Product: Pyquokka framework for making data lakes work for time series
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62515

CVE-2025-62645 – The RBI assistant platform is vulnerable to remote authenticated attackers obtaining administrative privileges through the createToken GraphQL mutation.
Product: Restaurant Brands International RBI assistant platform
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62645

CVE-2025-11948 – Excellent Infotek’s Document Management System has an Arbitrary File Upload vulnerability that allows remote attackers to execute web shell backdoors on the server.
Product: Excellent Infotek Document Management System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11948
NVD References: https://www.twcert.org.tw/en/cp-139-10453-43e63-2.html

CVE-2025-61455 – Bhabishya-123 E-commerce 1.0 is susceptible to SQL Injection via the signup.inc.php endpoint, granting unauthorized access.
Product: Bhabishya-123 E-commerce 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61455

CVE-2025-9574 – ABB ALS-mini-s4 IP and ABB ALS-mini-s8 IP are vulnerable to Missing Authentication for Critical Function on all firmware versions between the Serial Numbers 2000 to 5166.
Product: ABB ALS-mini-s4 IP, ALS-mini-s8 IP
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9574

CVE-2025-61303 – The Hatching Triage Sandbox Windows 10 build 2004 and Windows 10 LTSC 2021 has a vulnerability in its Windows behavioral analysis engine, allowing malware to evade detection and cause denial-of-analysis by generating excessive child processes.
Product: Hatching Triage Sandbox Windows 10
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61303
NVD References: https://github.com/eGkritsis/CVE-2025-61303

CVE-2025-10020 – Zohocorp ManageEngine ADManager Plus version before 8024 are vulnerable to authenticated command injection vulnerability in the Custom Script component.
Product: Zohocorp ManageEngine ADManager Plus
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10020
NVD References: https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-10020.html

CVE-2025-53037 – Oracle Financial Services Analytical Applications Infrastructure product is vulnerable to an easily exploitable attack that allows unauthorized access and potential takeover of the system.
Product: Oracle Financial Services Analytical Applications Infrastructure
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53037
NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-53072 – Oracle Marketing in Oracle E-Business Suite (component: Marketing Administration) versions 12.2.3-12.2.14 is vulnerable to an easily exploitable attack by unauthenticated attackers via HTTP, potentially leading to a complete takeover of Oracle Marketing with a CVSS Base Score of 9.8.
Product: Oracle E-Business Suite
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53072
NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-61757 – The vulnerability in the Identity Manager product of Oracle Fusion Middleware allows an unauthenticated attacker to compromise the system and potentially take it over.
Product: Oracle Identity Manager
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61757
NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-62481 – Oracle Marketing in Oracle E-Business Suite (component: Marketing Administration) versions 12.2.3-12.2.14 is vulnerable to an easily exploitable attack by unauthenticated attackers via HTTP, potentially leading to a complete takeover of Oracle Marketing with a CVSS Base Score of 9.8.
Product: Oracle E-Business Suite
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62481
NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-10041 – The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads allowing unauthenticated attackers to potentially execute remote code.
Product: Flex QR Code Generator plugin for WordPress
Active Installations: 30+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10041
NVD References: https://wordpress.org/plugins/flex-qr-code-generator/
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/40000879-a5ef-48f2-97e4-77d527259af0?source=cve

CVE-2025-10294 – The OwnID Passwordless Login plugin for WordPress up to version 1.3.4 allows unauthenticated attackers to log in as other users by bypassing authentication checks.
Product: OwnID OwnID Passwordless Login plugin for WordPress
Active Installations: This plugin has been closed as of October 14, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10294
NVD References: https://wordpress.org/plugins/ownid-passwordless-login/
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dd6008-e9b8-4a87-b1c7-0dc272850cbd?source=cve

CVE-2025-9967 – The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover up to version 1.1.7, allowing unauthenticated attackers to change user passwords to one-time passwords with knowledge of the user’s phone number.
Product: Orion SMS OTP Verification plugin for WordPress
Active Installations: This plugin has been closed as of October 14, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9967
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b121fdb4-93a8-400c-89c2-3195cb40e03c?source=cve

CVE-2025-10742 – The Truelysell Core plugin for WordPress up to version 1.8.6 is vulnerable to Arbitrary User Password Change due to user-controlled access to objects, allowing unauthenticated attackers to potentially take over administrator accounts.
Product: Truelysell Core plugin for WordPress
Active Installations: Unknown
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10742
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/a636e865-9556-4afb-8726-4537a160f379?source=cve

CVE-2025-10850 – The Felan Framework plugin for WordPress up to version 1.1.4 is vulnerable to improper authentication, allowing unauthenticated attackers to log in as any existing user who registered with Facebook or Google social login without changing their password.
Product: Felan Framework plugin for WordPress
Active Installations: Unknown. Update to version 1.1.5, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10850
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/ab4c7656-544c-4f2f-a42f-264ac90e3b61?source=cve

CVE-2017-20206 – The Appointments plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input, allowing attackers to inject PHP Objects and create backdoors.
Product: WordPress Appointments plugin
Active Installations: This plugin has been closed as of May 7, 2019 and is not available for download. This closure is permanent. Reason: Author Request.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20206
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/7e8f230e-3f96-4efd-806d-72725b960303?source=cve

CVE-2017-20207 – The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection through the `pager` parameter, allowing unauthenticated attackers to exploit the WP_Theme() class for backdoor creation.
Product: Flickr Gallery WordPress
Active Installations: This plugin has been closed as of May 13, 2018 and is not available for download. This closure is permanent. Reason: Author Request.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20207
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b52ae51d-7b9a-4047-82bf-723ea87d2375?source=cve

CVE-2017-20208 – The RegistrationMagic plugin for WordPress is vulnerable to PHP Object Injection through deserialization of untrusted input, enabling attackers to inject a PHP Object and install a remote file on the site.
Product: RegistrationMagic Custom Registration Forms
Active Installations: 10,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20208
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b79193-f8fc-4ea2-8973-fe292cfb926b?source=cve

CVE-2025-11391 – The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code on affected websites.
Product: PPOM Product Addons & Custom Fields for WooCommerce plugin
Active Installations: 20,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11391
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/cf851bed-f5d8-44e2-810d-906ba3d3c1c5?source=cve

CVE-2025-10916 – The FormGent WordPress plugin before 1.0.4 allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation.
Product: FormGent WordPress plugin
Active Installations: 700+
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10916