## Updated at UTC 2025-07-08T09:22:02.017599

Access data as JSON

CVE CVSS EPSS Posts Repos Nuclei Updated Description
CVE-2025-41668 8.8 0.00% 1 0 2025-07-08T07:15:25.987000 A low privileged remote attacker with file access can replace a critical file or
CVE-2025-41667 8.8 0.00% 1 0 2025-07-08T07:15:25.813000 A low privileged remote attacker with file access can replace a critical file us
CVE-2025-41666 8.8 0.00% 1 0 2025-07-08T07:15:25.630000 A low privileged remote attacker with file access can replace a critical file us
CVE-2025-41665 6.5 0.00% 1 0 2025-07-08T07:15:25.457000 An low privileged remote attacker can enforce the watchdog of the affected devic
CVE-2025-25270 9.8 0.00% 2 0 2025-07-08T07:15:25.080000 An unauthenticated remote attacker can alter the device configuration in a way t
CVE-2025-25269 8.4 0.00% 1 0 2025-07-08T07:15:24.890000 An unauthenticated local attacker can inject a command that is subsequently exec
CVE-2025-24002 5.3 0.00% 1 0 2025-07-08T07:15:23.473000 An unauthenticated remote attacker can use MQTT messages to crash a service on c
CVE-2024-12084 9.8 2.91% 1 2 2025-07-08T06:30:32 A heap-based buffer overflow flaw was found in the rsync daemon. This issue is d
CVE-2025-20685 None 0.00% 1 0 2025-07-08T03:31:08 In wlan AP driver, there is a possible out of bounds write due to an incorrect b
CVE-2025-42980 9.1 0.00% 3 0 2025-07-08T03:31:08 SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a pr
CVE-2025-42964 9.1 0.00% 2 0 2025-07-08T03:31:08 SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged u
CVE-2025-42966 9.1 0.00% 2 0 2025-07-08T03:31:08 SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with a
CVE-2025-42953 8.1 0.00% 2 0 2025-07-08T03:31:02 SAP Netweaver System Configuration does not perform necessary authorization chec
CVE-2025-42959 8.1 0.00% 2 0 2025-07-08T03:31:02 An unauthenticated attacker may exploit a scenario where a Hashed Message Authen
CVE-2025-20686 0 0.00% 2 0 2025-07-08T03:15:27.987000 In wlan AP driver, there is a possible out of bounds write due to an incorrect b
CVE-2025-42967 9.1 0.00% 3 0 2025-07-08T01:15:23.787000 SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vul
CVE-2025-42963 9.1 0.00% 2 0 2025-07-08T01:15:23.093000 A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer
CVE-2016-10033 9.8 94.44% 6 18 template 2025-07-08T01:00:02.203000 The mailSend function in the isMail transport in PHPMailer before 5.2.18 might a
CVE-2025-3108 5.0 0.18% 2 0 2025-07-07T23:11:37 Incomplete Documentation of Program Execution exists in the run-llama/llama_inde
CVE-2025-53540 0 0.00% 2 0 2025-07-07T20:15:28.173000 arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ES
CVE-2025-47227 7.5 0.13% 1 1 2025-07-07T19:15:22.940000 In the Production Environment extension in Netmake ScriptCase through 9.12.006 (
CVE-2025-7259 6.5 0.00% 2 0 2025-07-07T18:32:34 An authorized user can issue queries with duplicate _id fields, that leads to un
CVE-2025-53169 7.6 0.01% 1 0 2025-07-07T18:32:26 Vulnerability of bypassing the process to start SA and use related functions on
CVE-2025-7097 8.1 0.13% 1 0 2025-07-07T18:32:25 A vulnerability, which was classified as critical, has been found in Comodo Inte
CVE-2025-53529 9.8 0.00% 1 0 2025-07-07T17:15:30.030000 WeGIA is a web manager for charitable institutions. An SQL Injection vulnerabili
CVE-2025-36014 8.2 0.00% 2 0 2025-07-07T17:15:27.890000 IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code inj
CVE-2025-7102 6.3 0.03% 2 0 2025-07-07T16:15:29.177000 A vulnerability was found in BoyunCMS up to 1.4.20. It has been declared as crit
CVE-2025-7096 8.1 0.02% 3 0 2025-07-07T16:15:28.390000 A vulnerability classified as critical was found in Comodo Internet Security Pre
CVE-2025-34067 None 0.38% 1 0 2025-07-07T15:31:42 An unauthenticated remote command execution vulnerability exists in the applyCT
CVE-2025-5333 None 0.29% 2 0 2025-07-07T15:30:37 Remote attackers can execute arbitrary code in the context of the vulnerable ser
CVE-2025-6463 8.8 0.14% 3 0 2025-07-07T14:28:51.123000 The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin f
CVE-2025-3466 9.8 0.11% 1 0 2025-07-07T12:30:29 langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in t
CVE-2025-3705 6.8 0.10% 1 0 2025-07-07T12:30:29 A physical attacker with no privileges can gain full control of the affected dev
CVE-2025-3626 9.1 0.25% 1 0 2025-07-07T10:15:27.967000 A remote attacker with administrator account can gain full control of the device
CVE-2025-7118 8.8 0.04% 1 0 2025-07-07T09:30:31 A vulnerability, which was classified as critical, has been found in UTT HiPER 8
CVE-2025-41672 10.0 0.05% 4 0 2025-07-07T07:15:23.973000 A remote unauthenticated attacker may use default certificates to generate JWT T
CVE-2025-53473 7.3 0.04% 2 0 2025-07-07T06:30:30 Server-side request forgery (SSRF) vulnerability exists n multiple versions of N
CVE-2025-48501 9.8 0.23% 3 0 2025-07-07T05:15:41.913000 An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4
CVE-2025-7145 7.2 0.27% 3 0 2025-07-07T03:30:29 ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vuln
CVE-2025-7100 6.3 0.03% 2 0 2025-07-07T03:30:29 A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. A
CVE-2025-7101 6.3 0.04% 2 0 2025-07-07T03:30:23 A vulnerability was found in BoyunCMS up to 1.4.20. It has been classified as cr
CVE-2025-7099 5.6 0.04% 2 0 2025-07-07T00:30:24 A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as
CVE-2025-7079 3.7 0.03% 4 0 2025-07-06T15:30:36 A vulnerability, which was classified as problematic, has been found in mao888 b
CVE-2025-27446 0 0.01% 1 0 2025-07-06T06:15:21.587000 Incorrect Permission Assignment for Critical Resource vulnerability in Apache AP
CVE-2025-47228 6.7 0.09% 1 1 2025-07-05T03:30:32 In the Production Environment extension in Netmake ScriptCase through 9.12.006 (
CVE-2025-49809 7.9 0.01% 1 0 2025-07-04T15:31:08 mtr through 0.95, in certain privileged contexts, mishandles execution of a prog
CVE-2025-5372 5.0 0.04% 1 0 2025-07-04T06:30:28 A flaw was found in libssh versions built with OpenSSL versions older than 3.0,
CVE-2025-53367 0 0.01% 3 0 2025-07-03T22:15:21.140000 DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing
CVE-2025-49826 7.5 0.01% 1 0 2025-07-03T22:15:21.010000 Next.js is a React framework for building full-stack web applications. From vers
CVE-2025-20309 10.0 0.13% 9 0 2025-07-03T15:23:28.870000 A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco U
CVE-2025-53104 9.1 0.30% 1 0 2025-07-03T15:14:12.767000 gluestack-ui is a library of copy-pasteable components & patterns crafted with T
CVE-2025-34064 0 0.05% 1 0 2025-07-03T15:14:12.767000 A cloud infrastructure misconfiguration in OneLogin AD Connector results in log
CVE-2025-37097 7.5 0.05% 1 0 2025-07-03T15:14:12.767000 A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may all
CVE-2025-49483 5.4 0.04% 1 0 2025-07-03T15:14:12.767000 Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in tr069
CVE-2025-49488 5.4 0.04% 1 0 2025-07-03T15:14:12.767000 Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in route
CVE-2025-49482 5.4 0.04% 1 0 2025-07-03T15:14:12.767000 Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in tr069
CVE-2025-43713 6.5 0.07% 1 0 2025-07-03T15:13:53.147000 ASNA Assist and ASNA Registrar before 2025-03-31 allow deserialization attacks a
CVE-2025-49618 5.8 0.03% 1 0 2025-07-03T15:13:53.147000 In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal
CVE-2025-53110 0 0.06% 2 0 2025-07-03T15:13:53.147000 Model Context Protocol Servers is a collection of reference implementations for
CVE-2025-20307 4.8 0.03% 1 0 2025-07-03T15:13:53.147000 A vulnerability in the web-based management interface of Cisco BroadWorks Applic
CVE-2025-52891 6.5 0.05% 1 0 2025-07-03T15:13:53.147000 ModSecurity is an open source, cross platform web application firewall (WAF) eng
CVE-2025-53106 0 0.04% 1 0 2025-07-03T15:13:53.147000 Graylog is a free and open log management platform. In versions 6.2.0 to before
CVE-2025-34071 0 0.28% 1 0 2025-07-03T15:13:53.147000 A remote code execution vulnerability in GFI Kerio Control 9.4.5 allows attacker
CVE-2025-27024 6.5 0.04% 1 0 2025-07-03T15:13:53.147000 Unrestricted access to OS file system in SFTP service in Infinera G42 version R
CVE-2025-24330 6.4 0.02% 1 0 2025-07-03T15:13:53.147000 Sending a crafted SOAP "provision" operation message PlanId field within the Mob
CVE-2025-27025 8.8 0.36% 1 0 2025-07-03T15:13:53.147000 The target device exposes a service on a specific TCP port with a configured en
CVE-2025-27021 7.0 0.01% 1 0 2025-07-03T15:13:53.147000 The misconfiguration in the sudoers configuration of the operating system in In
CVE-2025-1708 8.6 0.04% 1 0 2025-07-03T12:35:09 The application is vulnerable to SQL injection attacks. An attacker is able to d
CVE-2025-53109 None 0.06% 2 0 2025-07-02T18:56:41 Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintende
CVE-2025-48928 4.0 8.89% 3 0 2025-07-02T18:31:32 The TeleMessage service through 2025-05-05 is based on a JSP application in whic
CVE-2025-20308 6.0 0.02% 1 0 2025-07-02T18:30:42 A vulnerability in Cisco Spaces Connector could allow an authenticated, local at
CVE-2025-20310 6.1 0.04% 1 0 2025-07-02T18:30:37 A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could all
CVE-2025-24334 3.3 0.01% 1 0 2025-07-02T15:31:43 The Nokia Single RAN baseband software earlier than 23R2-SR 1.0 MP can be made t
CVE-2025-24333 6.4 0.02% 1 0 2025-07-02T15:31:43 Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administ
CVE-2025-24332 7.1 0.02% 1 0 2025-07-02T15:31:43 Nokia Single RAN AirScale baseband allows an authenticated administrative user a
CVE-2025-24335 2.0 0.02% 1 0 2025-07-02T15:31:43 Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain
CVE-2025-24331 6.4 0.01% 1 0 2025-07-02T15:31:38 The Single RAN baseband OAM service is intended to run as an unprivileged servic
CVE-2025-24329 6.4 0.02% 1 0 2025-07-02T15:31:38 Sending a crafted SOAP "provision" operation message archive field within the Mo
CVE-2025-24328 4.2 0.01% 1 0 2025-07-02T15:31:37 Sending a crafted SOAP "set" operation message within the Mobile Network Operato
CVE-2025-34072 None 0.08% 1 0 2025-07-02T15:30:44 A data exfiltration vulnerability exists in Anthropic’s deprecated Slack Model C
CVE-2025-34069 None 0.14% 1 0 2025-07-02T15:30:44 An authentication bypass vulnerability exists in GFI Kerio Control 9.4.5 due to
CVE-2025-34070 None 0.12% 1 0 2025-07-02T15:30:37 A missing authentication vulnerability in the GFIAgent component of GFI Kerio Co
CVE-2025-48379 7.1 0.01% 1 0 2025-07-02T14:20:25 There is a heap buffer overflow when writing a sufficiently large (>64k encoded
CVE-2025-27022 7.5 0.06% 1 0 2025-07-02T12:33:13 Path traversal in WebGUI HTTP endpoint in Infinera G42 version R6.1.3 allows re
CVE-2025-27023 6.5 0.07% 1 0 2025-07-02T12:32:17 Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version
CVE-2024-13786 9.8 0.11% 1 0 2025-07-02T09:30:34 The education theme for WordPress is vulnerable to PHP Object Injection in all v
CVE-2025-4689 9.8 0.15% 1 0 2025-07-02T06:30:41 The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for Word
CVE-2025-53107 7.5 0.15% 1 0 2025-07-01T23:52:06 ### Summary A command injection vulnerability exists in the `git-mcp-server` MC
CVE-2025-32463 9.4 0.01% 16 27 2025-07-01T21:33:31 Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswi
CVE-2025-37099 9.8 0.23% 1 0 2025-07-01T18:30:47 A remote code execution vulnerability exists in HPE Insight Remote Support (IRS)
CVE-2025-6543 9.8 16.12% 3 3 2025-07-01T18:30:34 Memory overflow vulnerability leading to unintended control flow and Denial of S
CVE-2025-6554 8.1 6.66% 26 4 2025-07-01T15:32:11 Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote at
CVE-2025-37098 7.5 0.06% 1 0 2025-07-01T15:31:16 A path traversal vulnerability exists in HPE Insight Remote Support (IRS) prior
CVE-2025-34060 None 0.27% 1 0 2025-07-01T15:31:16 A PHP objection injection vulnerability exists in the Monero Project’s Laravel-b
CVE-2025-34063 None 0.11% 1 0 2025-07-01T15:31:10 A cryptographic authentication bypass vulnerability exists in OneLogin AD Connec
CVE-2025-49491 5.4 0.04% 1 0 2025-07-01T12:31:05 Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、
CVE-2025-49489 5.4 0.04% 1 0 2025-07-01T12:31:05 Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、
CVE-2025-49490 5.4 0.04% 1 0 2025-07-01T12:31:05 Resource leak vulnerability in ASR180x in router allows Resource Leak Exposure.
CVE-2025-49492 7.4 0.04% 1 0 2025-07-01T12:31:05 Out-of-bounds write in ASR180x in lte-telephony, May cause a buffer underrun. 
CVE-2025-49480 7.4 0.04% 1 0 2025-07-01T12:31:05 Out-of-bounds access in ASR180x 、ASR190x in lte-telephony, This vulnerability
CVE-2025-49481 5.4 0.04% 1 0 2025-07-01T12:31:05 Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in route
CVE-2025-5072 5.4 0.04% 1 0 2025-07-01T09:30:40 Resource leak vulnerability in ASR180x、ASR190x in con_mgr allows Resource Leak E
CVE-2025-41656 10.0 0.16% 1 0 2025-07-01T09:30:40 An unauthenticated remote attacker can run arbitrary commands on the affected de
CVE-2025-41648 9.8 0.08% 1 0 2025-07-01T09:30:40 An unauthenticated remote attacker can bypass the login to the web application o
CVE-2025-49521 8.8 0.09% 1 0 2025-07-01T03:31:37 A flaw was found in the EDA component of the Ansible Automation Platform, where
CVE-2025-49520 8.8 0.09% 1 0 2025-07-01T03:31:36 A flaw was found in Ansible Automation Platform’s EDA component where user-suppl
CVE-2025-32462 2.8 0.02% 10 8 2025-06-30T21:30:54 Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that i
CVE-2025-6019 7.0 0.02% 1 4 2025-06-30T03:31:34 A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Gener
CVE-2024-54085 9.8 9.47% 1 1 2025-06-27T12:32:19 AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authe
CVE-2025-49132 10.0 23.69% 1 6 template 2025-06-23T20:16:21.633000 Pterodactyl is a free, open-source game server management panel. Prior to versio
CVE-2024-12086 6.1 0.16% 1 0 2025-06-20T21:32:01 A flaw was found in rsync. It could allow a server to enumerate the contents of
CVE-2024-12087 6.5 0.66% 1 0 2025-06-20T18:28:57.620000 A path traversal vulnerability exists in rsync. It stems from behavior enabled b
CVE-2024-12088 6.5 0.52% 1 0 2025-06-18T16:29:29.573000 A flaw was found in rsync. When using the `--safe-links` option, the rsync clien
CVE-2025-5777 None 4.17% 34 6 template 2025-06-17T15:31:16 Insufficient input validation leading to memory overread on the NetScaler Manage
CVE-2024-52533 9.8 0.72% 1 0 2025-06-17T01:23:56.150000 gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resu
CVE-2025-49596 0 0.52% 2 1 2025-06-16T12:32:18.840000 The MCP inspector is a developer tool for testing and debugging MCP servers. Ver
CVE-2025-22157 8.8 0.05% 1 0 2025-06-12T18:31:14 This High severity PrivEsc (Privilege Escalation) vulnerability was introduced i
CVE-2025-32711 9.3 0.10% 2 1 2025-06-11T15:30:38 Ai command injection in M365 Copilot allows an unauthorized attacker to disclose
CVE-2025-47176 7.8 0.06% 1 0 2025-06-10T21:32:26 '.../...//' in Microsoft Office Outlook allows an authorized attacker to execute
CVE-2025-33073 8.8 0.39% 1 2 2025-06-10T18:32:36 Improper access control in Windows SMB allows an authorized attacker to elevate
CVE-2024-6119 7.5 0.67% 1 0 2025-06-03T12:31:37 Issue summary: Applications performing certificate name checks (e.g., TLS client
CVE-2024-12133 5.3 0.22% 1 0 2025-06-02T15:32:27 A flaw in libtasn1 causes inefficient handling of specific certificate data. Whe
CVE-2024-12747 5.6 0.01% 1 0 2025-06-02T15:31:21 A flaw was found in rsync. This vulnerability arises from a race condition durin
CVE-2024-8176 7.5 0.36% 1 1 2025-06-02T15:31:21 A stack overflow vulnerability exists in the libexpat library due to the way it
CVE-2025-48927 5.3 11.15% 3 0 2025-05-28T18:33:28 The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with
CVE-2025-26466 5.9 46.59% 1 3 2025-05-27T18:30:48 A flaw was found in the OpenSSH package. For each ping packet the SSH server rec
CVE-2023-27043 5.3 0.11% 1 0 2025-05-19T12:38:20.773000 The email module of Python through 3.11.3 incorrectly parses e-mail addresses th
CVE-2024-50602 5.9 0.04% 1 0 2025-04-30T20:15:20.730000 An issue was discovered in libexpat before 2.6.4. There is a crash within the XM
CVE-2024-10918 4.8 0.10% 1 0 2025-04-29T18:31:51 Stack-based Buffer Overflow vulnerability in libmodbus v3.1.10 allows to overflo
CVE-2024-9287 7.8 0.04% 1 0 2025-04-25T23:15:16.573000 A vulnerability has been found in the CPython `venv` module and CLI where path n
CVE-2024-38428 9.1 0.27% 1 0 2025-04-21T12:30:24 url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcompon
CVE-2014-3931 9.8 1.67% 7 0 2025-04-20T03:36:04 fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 allows remote a
CVE-2015-7697 None 30.28% 1 0 2025-04-12T12:54:49 Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinit
CVE-2025-24813 9.8 93.98% 2 38 template 2025-04-03T13:23:54 Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution an
CVE-2025-27636 None 43.34% 2 2 2025-03-25T18:38:11 Bypass/Injection vulnerability in Apache Camel components under particular condi
CVE-2024-10524 6.5 0.48% 1 0 2025-03-21T18:15:32.323000 Applications that use Wget to access a remote resource using shorthand URLs and
CVE-2024-12085 7.5 1.18% 1 0 2025-03-20T09:30:27 A flaw was found in the rsync daemon which could be triggered when rsync compare
CVE-2025-29891 4.2 0.09% 2 0 2025-03-19T15:44:53 Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel
CVE-2025-0167 3.4 0.06% 1 0 2025-03-07T03:32:33 When asked to use a `.netrc` file for credentials **and** to follow HTTP redirec
CVE-2025-0665 9.8 2.35% 1 0 2025-03-07T03:32:33 libcurl would wrongly close the same eventfd file descriptor twice when taking d
CVE-2025-27113 2.9 0.07% 1 0 2025-03-07T03:31:33 libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference i
CVE-2025-1094 8.1 83.63% 1 5 2025-02-21T18:31:09 Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescape
CVE-2025-24965 0 0.10% 1 0 2025-02-19T17:15:15.510000 crun is an open source OCI Container Runtime fully written in C. In affected ver
CVE-2025-26465 6.8 56.74% 1 2 2025-02-19T15:33:13 A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled
CVE-2024-12705 7.5 0.13% 1 0 2025-02-07T18:32:19 Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memor
CVE-2024-6232 7.5 0.91% 1 0 2025-01-31T21:32:45 There is a MEDIUM severity vulnerability affecting CPython. Regular express
CVE-2024-11053 9.1 0.17% 1 0 2025-01-31T15:31:47 When asked to both use a `.netrc` file for credentials and to follow HTTP redire
CVE-2024-55591 9.8 94.25% 1 10 template 2025-01-23T02:00:02.310000 An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-2
CVE-2019-11932 8.8 80.16% 1 21 2025-01-13T15:21:41 A double free vulnerability in the DDGifSlurp function in decoding.c in the andr
CVE-2024-5594 9.1 0.11% 1 0 2025-01-06T18:32:07 OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attack
CVE-2024-50379 9.8 88.61% 1 16 2025-01-03T12:30:31 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compi
CVE-2024-56337 9.8 9.71% 2 1 2025-01-03T12:15:26.787000 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat
CVE-2024-12856 7.2 77.16% 1 1 2024-12-27T18:30:32 The Four-Faith router models F3x24 and F3x36 are affected by an operating system
CVE-2024-9681 5.9 0.26% 1 0 2024-12-13T15:31:42 When curl is asked to use HSTS, the expiry time for a subdomain might overwrite
CVE-2024-9341 5.4 0.26% 1 0 2024-12-11T06:30:25 A flaw was found in Go. When FIPS mode is enabled on a system, container runtime
CVE-2024-6874 4.3 0.24% 2 0 2024-11-21T09:50:26.493000 libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_g
CVE-2021-4217 3.3 0.13% 1 1 2024-11-21T06:37:10.350000 A flaw was found in unzip. The vulnerability occurs due to improper handling of
CVE-2019-13638 7.8 3.45% 1 0 2024-11-21T04:25:25.007000 GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be
CVE-2018-6951 7.5 23.09% 1 0 2024-11-21T04:11:28.273000 An issue was discovered in GNU patch through 2.7.6. There is a segmentation faul
CVE-2024-5742 4.7 0.04% 1 3 2024-11-12T18:30:50 A vulnerability was found in GNU Nano that allows a possible privilege escalatio
CVE-2024-9143 4.3 0.65% 1 0 2024-11-08T18:31:50 Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted e
CVE-2024-28882 4.3 0.53% 1 0 2024-11-02T00:37:22 OpenVPN 2.6.10 and earlier in a server role accepts multiple exit notifications
CVE-2024-8006 4.4 0.05% 1 0 2024-09-19T17:46:03.447000 Remote packet capture support is disabled by default in libpcap. When a user bu
CVE-2023-7256 4.4 0.05% 1 0 2024-08-31T00:31:11 In affected libpcap versions during the setup of a remote packet capture the int
CVE-2024-6345 8.8 0.23% 1 0 2024-08-04T05:03:40 A vulnerability in the `package_index` module of pypa/setuptools versions up to
CVE-2024-5535 9.1 5.15% 1 1 2024-07-12T15:31:25 Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an em
CVE-2024-3721 6.3 57.40% 1 0 2024-04-13T12:30:30 A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classi
CVE-2018-20969 7.8 0.78% 1 0 2024-04-11T21:19:01 do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginnin
CVE-2023-34362 9.8 94.48% 1 11 template 2024-04-04T04:29:06 In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.
CVE-2019-13636 5.9 5.07% 1 0 2024-04-04T01:17:53 In GNU patch through 2.7.6, the following of symlinks is mishandled in certain c
CVE-2019-13232 3.3 0.08% 1 0 2024-04-04T01:11:32 Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, l
CVE-2019-9621 7.5 91.81% 6 1 2024-04-04T00:24:27 Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, an
CVE-2010-2772 7.8 0.08% 1 0 2024-02-22T05:08:16 Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded password, which a
CVE-2024-25062 7.5 0.15% 1 0 2024-02-22T05:07:56 An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When
CVE-2024-0684 5.5 0.07% 1 1 2024-02-14T00:35:42 A flaw was found in the GNU coreutils "split" program. A heap overflow with user
CVE-2022-0529 7.8 0.20% 1 2 2023-10-30T12:30:30 A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of
CVE-2022-0530 7.8 0.09% 1 2 2023-10-30T12:30:30 A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of
CVE-2022-38392 5.3 0.08% 1 0 2023-09-18T05:03:19 A certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2
CVE-2019-5418 7.5 94.23% 6 12 template 2023-08-17T05:02:29 # File Content Disclosure in Action View Impact ------ There is a possible fi
CVE-2018-6952 7.5 16.66% 1 0 2023-02-02T05:03:20 A double free exists in the another_hunk function in pch.c in GNU patch through
CVE-2015-7696 None 31.45% 1 0 2023-02-01T05:08:13 Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-ba
CVE-2016-9844 4.0 10.18% 1 0 2023-02-01T05:08:12 Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allo
CVE-2018-18384 5.5 2.94% 1 0 2023-02-01T05:07:51 Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a cra
CVE-2020-16120 None 0.06% 1 0 2023-01-29T05:05:39 Overlayfs did not properly perform permission checking when copying up files in
CVE-2019-20633 None 0.14% 1 0 2023-01-29T05:02:02 GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability
CVE-2025-25271 0 0.00% 1 0 N/A
CVE-2025-25268 0 0.00% 1 0 N/A
CVE-2025-24005 0 0.00% 1 0 N/A
CVE-2025-24006 0 0.00% 1 0 N/A
CVE-2025-24004 0 0.00% 1 0 N/A
CVE-2025-24003 0 0.00% 1 0 N/A
CVE-2025-47812 0 0.00% 5 5 template N/A
CVE-2025-48952 0 0.06% 3 0 N/A
CVE-2025-53536 0 0.00% 2 0 N/A
CVE-2025-1735 0 0.00% 1 0 N/A
CVE-2025-0038 0 0.00% 1 0 N/A
CVE-2025-49588 0 0.04% 1 0 N/A
CVE-2025-48703 0 0.00% 1 3 N/A
CVE-2025-49144 0 0.01% 2 6 N/A
CVE-2025-53100 0 0.97% 1 0 N/A

CVE-2025-41668
(8.8 HIGH)

EPSS: 0.00%

updated 2025-07-08T07:15:25.987000

1 posts

A low privileged remote attacker with file access can replace a critical file or folder used by the service security-profile to get read, write and execute access to any file on the device.

certvde at 2025-07-08T07:11:00.708Z ##

VDE-2025-054
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2025-41666, CVE-2025-41667, CVE-2025-41668, CVE-2025-41665

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-41667
(8.8 HIGH)

EPSS: 0.00%

updated 2025-07-08T07:15:25.813000

1 posts

A low privileged remote attacker with file access can replace a critical file used by the arp-preinit script to get read, write and execute access to any file on the device.

certvde at 2025-07-08T07:11:00.708Z ##

VDE-2025-054
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2025-41666, CVE-2025-41667, CVE-2025-41668, CVE-2025-41665

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-41666
(8.8 HIGH)

EPSS: 0.00%

updated 2025-07-08T07:15:25.630000

1 posts

A low privileged remote attacker with file access can replace a critical file used by the watchdog to get read, write and execute access to any file on the device after the watchdog has been initialized.

certvde at 2025-07-08T07:11:00.708Z ##

VDE-2025-054
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2025-41666, CVE-2025-41667, CVE-2025-41668, CVE-2025-41665

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-41665
(6.5 MEDIUM)

EPSS: 0.00%

updated 2025-07-08T07:15:25.457000

1 posts

An low privileged remote attacker can enforce the watchdog of the affected devices to reboot the PLC due to incorrect default permissions of a config file.

certvde at 2025-07-08T07:11:00.708Z ##

VDE-2025-054
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2025-41666, CVE-2025-41667, CVE-2025-41668, CVE-2025-41665

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-25270
(9.8 CRITICAL)

EPSS: 0.00%

updated 2025-07-08T07:15:25.080000

2 posts

An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations.

offseq at 2025-07-08T07:31:15.008Z ##

⚠️ CRITICAL: CVE-2025-25270 affects Phoenix Contact CHARX SEC-3150 (0.0.0). Remote unauthenticated attackers can gain root RCE by altering device config. No patch yet—review your exposure! radar.offseq.com/threat/cve-20

##

certvde at 2025-07-08T07:09:16.432Z ##

VDE-2025-019
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

CVE-2025-25270, CVE-2025-25268, CVE-2025-25271, CVE-2025-25269

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-25269
(8.4 HIGH)

EPSS: 0.00%

updated 2025-07-08T07:15:24.890000

1 posts

An unauthenticated local attacker can inject a command that is subsequently executed as root, leading to a privilege escalation.

certvde at 2025-07-08T07:09:16.432Z ##

VDE-2025-019
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

CVE-2025-25270, CVE-2025-25268, CVE-2025-25271, CVE-2025-25269

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-24002
(5.3 MEDIUM)

EPSS: 0.00%

updated 2025-07-08T07:15:23.473000

1 posts

An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations until they got restarted by the watchdog.

certvde at 2025-07-08T07:08:52.104Z ##

VDE-2025-014
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

CVE-2025-24003, CVE-2025-24005, CVE-2025-24006, CVE-2025-24002, CVE-2025-24004

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-12084
(9.8 CRITICAL)

EPSS: 2.91%

updated 2025-07-08T06:30:32

1 posts

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

2 repos

https://github.com/themirze/cve-2024-12084

https://github.com/rxerium/CVE-2024-12084

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-20685(CVSS UNKNOWN)

EPSS: 0.00%

updated 2025-07-08T03:31:08

1 posts

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416226; Issue ID: MSV-3409.

offseq at 2025-07-08T04:31:31.310Z ##

🔴 CVE-2025-20685: CRITICAL heap overflow in MediaTek WLAN AP driver (MT6890, MT7915/16, MT7981/86). Remote code exec possible from nearby—no user action. Patch ID: WCNCR00416226. Urgent action needed! radar.offseq.com/threat/cve-20

##

CVE-2025-42980
(9.1 CRITICAL)

EPSS: 0.00%

updated 2025-07-08T03:31:08

3 posts

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

offseq at 2025-07-08T01:31:29.746Z ##

🔴 CRITICAL: CVE-2025-42980 in SAP NetWeaver EP-RUNTIME 7.50 exposes deserialization of untrusted data. Privileged users can trigger full system compromise. Apply patches & review privileges. radar.offseq.com/threat/cve-20

##

cR0w at 2025-07-08T01:16:35.242Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-08T01:16:35.000Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

#patchTuesday

##

CVE-2025-42964
(9.1 CRITICAL)

EPSS: 0.00%

updated 2025-07-08T03:31:08

2 posts

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

cR0w at 2025-07-08T01:16:35.242Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-08T01:16:35.000Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

#patchTuesday

##

CVE-2025-42966
(9.1 CRITICAL)

EPSS: 0.00%

updated 2025-07-08T03:31:08

2 posts

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

cR0w at 2025-07-08T01:16:35.242Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-08T01:16:35.000Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

#patchTuesday

##

CVE-2025-42953
(8.1 HIGH)

EPSS: 0.00%

updated 2025-07-08T03:31:02

2 posts

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

cR0w at 2025-07-08T01:16:35.242Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-08T01:16:35.000Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

#patchTuesday

##

CVE-2025-42959
(8.1 HIGH)

EPSS: 0.00%

updated 2025-07-08T03:31:02

2 posts

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

cR0w at 2025-07-08T01:16:35.242Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-08T01:16:35.000Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

#patchTuesday

##

CVE-2025-20686
(0 None)

EPSS: 0.00%

updated 2025-07-08T03:15:27.987000

2 posts

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00415570; Issue ID: MSV-3404.

offseq at 2025-07-08T03:01:24.780Z ##

⚠️ CRITICAL: CVE-2025-20686 heap overflow in MediaTek MT6890/MT7915/MT7916/MT7981/MT7986. Remote code execution possible via Wi-Fi, no user interaction needed. Patch when available; segment networks & monitor closely. radar.offseq.com/threat/cve-20

##

offseq@infosec.exchange at 2025-07-08T03:01:24.000Z ##

⚠️ CRITICAL: CVE-2025-20686 heap overflow in MediaTek MT6890/MT7915/MT7916/MT7981/MT7986. Remote code execution possible via Wi-Fi, no user interaction needed. Patch when available; segment networks & monitor closely. radar.offseq.com/threat/cve-20 #OffSeq #CVE202520686 #MediaTek #Infosec

##

CVE-2025-42967
(9.1 CRITICAL)

EPSS: 0.00%

updated 2025-07-08T01:15:23.787000

3 posts

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

offseq at 2025-07-08T06:01:04.939Z ##

🚨 CRITICAL SAP RCE: CVE-2025-42967 impacts S/4HANA & SCM (Characteristic Propagation). High-priv users can remotely execute code—full compromise risk. Audit access, monitor activity, & apply mitigations. radar.offseq.com/threat/cve-20

##

cR0w at 2025-07-08T01:16:35.242Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-08T01:16:35.000Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

#patchTuesday

##

CVE-2025-42963
(9.1 CRITICAL)

EPSS: 0.00%

updated 2025-07-08T01:15:23.093000

2 posts

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the applica

cR0w at 2025-07-08T01:16:35.242Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-08T01:16:35.000Z ##

Here are some interesting CVEs while we wait for the SAP advisory to be published. Fortunately, they're all post-auth.

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

nvd.nist.gov/vuln/detail/CVE-2

#patchTuesday

##

AAKL at 2025-07-07T18:10:09.246Z ##

CISA has updated the KEV catalogue.

- CVE-2014-3931: Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2014-

- CVE-2016-10033: PHPMailer Command Injection Vulnerability cve.org/CVERecord?id=CVE-2016-

- CVE-2019-5418: Rails Ruby on Rails Path Traversal Vulnerability cve.org/CVERecord?id=CVE-2019-

- CVE-2019-9621: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability cve.org/CVERecord?id=CVE-2019-

##

cR0w at 2025-07-07T18:03:41.105Z ##

Four old CVEs added to the CISA KEV Catalog today:
CVE-2014-3931
CVE-2016-10033
CVE-2019-5418
CVE-2019-9621

##

cisakevtracker@mastodon.social at 2025-07-07T18:01:43.000Z ##

CVE ID: CVE-2016-10033
Vendor: PHP
Product: PHPMailer
Date Added: 2025-07-07
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: github.com/PHPMailer/PHPMailer ; github.com/advisories/GHSA-5f3 ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

AAKL@infosec.exchange at 2025-07-07T18:10:09.000Z ##

CISA has updated the KEV catalogue.

- CVE-2014-3931: Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2014-

- CVE-2016-10033: PHPMailer Command Injection Vulnerability cve.org/CVERecord?id=CVE-2016-

- CVE-2019-5418: Rails Ruby on Rails Path Traversal Vulnerability cve.org/CVERecord?id=CVE-2019-

- CVE-2019-9621: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability cve.org/CVERecord?id=CVE-2019- #CISA #cybersecurity #infosec

##

cR0w@infosec.exchange at 2025-07-07T18:03:41.000Z ##

Four old CVEs added to the CISA KEV Catalog today:
CVE-2014-3931
CVE-2016-10033
CVE-2019-5418
CVE-2019-9621

##

cisakevtracker@mastodon.social at 2025-07-07T18:01:43.000Z ##

CVE ID: CVE-2016-10033
Vendor: PHP
Product: PHPMailer
Date Added: 2025-07-07
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: github.com/PHPMailer/PHPMailer ; github.com/advisories/GHSA-5f3 ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-3108
(5.0 MEDIUM)

EPSS: 0.18%

updated 2025-07-07T23:11:37

2 posts

Incomplete Documentation of Program Execution exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrust

CVE-2025-53540
(0 None)

EPSS: 0.00%

updated 2025-07-07T20:15:28.173000

2 posts

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulti

cR0w at 2025-07-07T19:47:31.579Z ##

Ooh, that's a fun one.

github.com/espressif/arduino-e

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulting in remote code execution (RCE). This vulnerability is fixed in 3.2.1.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-07T19:47:31.000Z ##

Ooh, that's a fun one.

github.com/espressif/arduino-e

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulting in remote code execution (RCE). This vulnerability is fixed in 3.2.1.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-47227
(7.5 HIGH)

EPSS: 0.13%

updated 2025-07-07T19:15:22.940000

1 posts

In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via administrator account takeover.

1 repos

https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228

undercodenews@mastodon.social at 2025-07-07T08:02:58.000Z ##

ScriptCase Hit by Critical Zero-Day Exploits: Remote Access Without Login

Dangerous Vulnerabilities Expose ScriptCase Servers to Full Takeover Two severe vulnerabilities have been discovered in ScriptCase, a widely used low-code development platform for PHP applications. The flaws, tracked as CVE-2025-47227 and CVE-2025-47228, were revealed by cybersecurity researchers Alexandre Droullé and Alexandre Zanni. These bugs target the "Production Environment" module—known as…

undercodenews.com/scriptcase-h

##

CVE-2025-7259
(6.5 MEDIUM)

EPSS: 0.00%

updated 2025-07-07T18:32:34

2 posts

An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.

cR0w at 2025-07-07T16:44:56.792Z ##

Seems to me that this sort of thing should have been sorted at the beginning of creating a database product.

jira.mongodb.org/browse/SERVER

An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-07T16:44:56.000Z ##

Seems to me that this sort of thing should have been sorted at the beginning of creating a database product.

jira.mongodb.org/browse/SERVER

An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-53169
(7.6 HIGH)

EPSS: 0.01%

updated 2025-07-07T18:32:26

1 posts

Vulnerability of bypassing the process to start SA and use related functions on distributed cameras Impact: Successful exploitation of this vulnerability may allow the peer device to use the camera without user awareness.

offseq at 2025-07-07T04:31:14.052Z ##

👁️‍🗨️ CVE-2025-53169: HIGH-severity bug in HarmonyOS 5.0.1/5.1.0 lets peers bypass controls & access distributed cameras w/o consent. No patch yet—segment networks & monitor access. radar.offseq.com/threat/cve-20

##

CVE-2025-7097
(8.1 HIGH)

EPSS: 0.13%

updated 2025-07-07T18:32:25

1 posts

A vulnerability, which was classified as critical, has been found in Comodo Internet Security Premium 12.3.4.8162. This issue affects some unknown processing of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation of the argument binary/params leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploit

offseq at 2025-07-07T00:01:06.035Z ##

🚨 CRITICAL: CVE-2025-7097 in Comodo Internet Security Premium 12.3.4.8162 allows remote OS command injection via cis_update_x64.xml (Manifest File Handler). No patch available—restrict usage, monitor endpoints, and enhance detection. radar.offseq.com/threat/cve-20

##

CVE-2025-53529
(9.8 CRITICAL)

EPSS: 0.00%

updated 2025-07-07T17:15:30.030000

1 posts

WeGIA is a web manager for charitable institutions. An SQL Injection vulnerability was identified in the /html/funcionario/profile_funcionario.php endpoint. The id_funcionario parameter is not properly sanitized or validated before being used in a SQL query, allowing an unauthenticated attacker to inject arbitrary SQL commands. The vulnerability is fixed in 3.4.3.

offseq at 2025-07-08T00:01:17.123Z ##

🚨 CRITICAL: CVE-2025-53529 affects WeGIA <3.4.3. Unauthenticated SQL Injection in profile_funcionario.php (id_funcionario param) risks full DB compromise. Patch to 3.4.3+ and deploy WAF rules ASAP! radar.offseq.com/threat/cve-20

##

CVE-2025-36014
(8.2 HIGH)

EPSS: 0.00%

updated 2025-07-07T17:15:27.890000

2 posts

IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory.

cR0w at 2025-07-07T16:47:12.213Z ##

Post-auth code injection in IBM Integration Bus for z/OS.

ibm.com/support/pages/node/723

sev:HIGH 8.2 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-07T16:47:12.000Z ##

Post-auth code injection in IBM Integration Bus for z/OS.

ibm.com/support/pages/node/723

sev:HIGH 8.2 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-7102
(6.3 MEDIUM)

EPSS: 0.03%

updated 2025-07-07T16:15:29.177000

2 posts

A vulnerability was found in BoyunCMS up to 1.4.20. It has been declared as critical. This vulnerability affects unknown code of the file application/update/controller/Server.php. The manipulation of the argument phone leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7096
(8.1 HIGH)

EPSS: 0.02%

updated 2025-07-07T16:15:28.390000

3 posts

A vulnerability classified as critical was found in Comodo Internet Security Premium 12.3.4.8162. This vulnerability affects unknown code of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation leads to improper validation of integrity check value. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be diffic

offseq at 2025-07-07T01:31:21.188Z ##

⚠️ CVE-2025-7096: CRITICAL in Comodo Internet Security Premium 12.3.4.8162. Remote attackers can bypass integrity checks (cis_update_x64.xml). No patch—switch solutions & monitor for abuse. radar.offseq.com/threat/cve-20

##

cR0w at 2025-07-06T22:18:25.182Z ##

drive.google.com/file/d/1qnWar

sev:CRIT 9.2 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

A vulnerability classified as critical was found in Comodo Internet Security Premium 12.3.4.8162. This vulnerability affects unknown code of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation leads to improper validation of integrity check value. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-06T22:18:25.000Z ##

drive.google.com/file/d/1qnWar

sev:CRIT 9.2 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

A vulnerability classified as critical was found in Comodo Internet Security Premium 12.3.4.8162. This vulnerability affects unknown code of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation leads to improper validation of integrity check value. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-34067(CVSS UNKNOWN)

EPSS: 0.38%

updated 2025-07-07T15:31:42

1 posts

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a mali

beyondmachines1@infosec.exchange at 2025-07-05T12:01:15.000Z ##

Remote code execution flaw reported in HIKVISION Security Management Platforms

HIKVISION reports a maximum-severity vulnerability (CVE-2025-34067) in its applyCT security management platform that allows unauthenticated remote code execution through a vulnerable Fastjson library, enabling attackers arbitrary code execution.

**If you have HIKVISION HikCentral security management systems, make sure it's isolated it from the internet and accessible only from trusted networks. Also block outbound LDAP connections, and then plan a quick patch cycle. Because isolation will never be enough with maximum severity flaw.**
#cybersecurity #infosec #advisory #vulnerability
beyondmachines.net/event_detai

##

CVE-2025-5333(CVSS UNKNOWN)

EPSS: 0.29%

updated 2025-07-07T15:30:37

2 posts

Remote attackers can execute arbitrary code in the context of the vulnerable service process.

cR0w at 2025-07-06T14:03:25.887Z ##

Fuck Broadcom. I would love to provide more details but I don't have a login. Go hack some Symantec IT Management Suite shit.

support.broadcom.com/web/ecx/s

sev:CRIT 9.5 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:I/V:C/RE:L/U:Red

Remote attackers can execute arbitrary code in the context of the vulnerable service process.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-06T14:03:25.000Z ##

Fuck Broadcom. I would love to provide more details but I don't have a login. Go hack some Symantec IT Management Suite shit.

support.broadcom.com/web/ecx/s

sev:CRIT 9.5 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:I/V:C/RE:L/U:Red

Remote attackers can execute arbitrary code in the context of the vulnerable service process.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-6463
(8.8 HIGH)

EPSS: 0.14%

updated 2025-07-07T14:28:51.123000

3 posts

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted whe

benzogaga33@mamot.fr at 2025-07-03T09:40:02.000Z ##

WordPress – CVE-2025-6463 : cette faille dans le plugin Forminator menace plus de 400 000 sites Web ! it-connect.fr/wordpress-cve-20 #ActuCybersécurité #Cybersécurité #Wordpress #Web

##

beyondmachines1@infosec.exchange at 2025-07-02T15:01:13.000Z ##

WordPress Plugin flaw exposes over 600,000 websites to potential remote takeover

A critical vulnerability (CVE-2025-6463) in the Forminator WordPress plugin affecting over 600,000 installations allows unauthenticated attackers to delete arbitrary files, including critical WordPress files like wp-config.php. The flaw enable site takeover by forcing installations into setup mode after deleting wp-config.php and then connecting to a database they control.

**If you're using the Forminator WordPress plugin, immediately update to version 1.44.3 or later. Your WordPress site is exposed to the internet by design, so attackers will find it very quickly. Don't delay, updating a plugin in WordPress is quite easy. Then check your form submission logs for any suspicious entries that might indicate your site was already targeted.**
#cybersecurity #infosec #advisory #vulnerability
beyondmachines.net/event_detai

##

FunctionalProgramming@activitypub.awakari.com at 2025-07-02T07:08:56.000Z ## Severe WordPress Plugin Flaw Puts Over 600,000 Sites at Risk of Remote Takeover A newly disclosed vulnerability, tracked as CVE-2025-6463, has put over 600,000 WordPress sites at immediate risk. Th...

#Cyber #Security #News #Cybersecurity #Vulnerability #Cyber #Security #Cyber #security #news #vulnerability

Origin | Interest | Match ##

CVE-2025-3466
(9.8 CRITICAL)

EPSS: 0.11%

updated 2025-07-07T12:30:29

1 posts

langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such as parseInt, before sandbox security restrictions are imposed. This can lead to unauthorized access to secret keys, internal network servers, and late

offseq at 2025-07-07T10:31:24.207Z ##

CRITICAL vuln: langgenius/dify 1.1.0–1.1.2 (CVE-2025-3466) lets attackers override JS globals & run root code. Upgrade to 1.1.3 ASAP! Risk: data exposure, lateral movement. radar.offseq.com/threat/cve-20

##

CVE-2025-3705
(6.8 MEDIUM)

EPSS: 0.10%

updated 2025-07-07T12:30:29

1 posts

A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive.

certvde at 2025-07-07T10:00:21.498Z ##

VDE-2025-030
Frauscher: FDS101, FDS-SNMP101 and FDS102 for FAdC/FAdCi are Vulnerable to OS Command Injection Vulnerability

CVE-2025-3626, CVE-2025-3705

certvde.com/en/advisories/VDE-

frauscher.csaf-tp.certvde.com/

##

CVE-2025-3626
(9.1 CRITICAL)

EPSS: 0.25%

updated 2025-07-07T10:15:27.967000

1 posts

A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI.

certvde at 2025-07-07T10:00:21.498Z ##

VDE-2025-030
Frauscher: FDS101, FDS-SNMP101 and FDS102 for FAdC/FAdCi are Vulnerable to OS Command Injection Vulnerability

CVE-2025-3626, CVE-2025-3705

certvde.com/en/advisories/VDE-

frauscher.csaf-tp.certvde.com/

##

CVE-2025-7118
(8.8 HIGH)

EPSS: 0.04%

updated 2025-07-07T09:30:31

1 posts

A vulnerability, which was classified as critical, has been found in UTT HiPER 840G up to 3.1.1-190328. This issue affects some unknown processing of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this

offseq at 2025-07-07T09:01:05.301Z ##

🛡️ UTT HiPER 840G (<=3.1.1-190328) hit by HIGH severity buffer overflow (CVE-2025-7118). Remote exploit possible via /goform/formPictureUrl; no patch yet. Isolate, restrict, and monitor now! radar.offseq.com/threat/cve-20

##

CVE-2025-41672
(10.0 CRITICAL)

EPSS: 0.05%

updated 2025-07-07T07:15:23.973000

4 posts

A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices.

cR0w at 2025-07-07T12:29:45.708Z ##

Oh, WAGO, at it again. 🥳

certvde.com/en/advisories/VDE-

sev:CRIT 10.0 - CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H

During installation, identical certificates are installed across all systems instead of unique ones, which are intended for JWT Token encryption and signing.

The system installs identical JWT signing certificates on all installations instead of generating unique ones. This allows anyone with the shared key to forge valid tokens and impersonate users across all systems, compromising security.

nvd.nist.gov/vuln/detail/CVE-2

##

offseq at 2025-07-07T07:31:10.115Z ##

🚨 CVE-2025-41672 (CRITICAL): WAGO Device Sphere 1.0.0 has a default cert flaw—remote attackers can forge JWTs for full system access. Isolate affected systems, monitor for unusual tokens, and consult WAGO for fixes. radar.offseq.com/threat/cve-20

##

certvde at 2025-07-07T06:18:47.302Z ##

VDE-2025-057
WAGO: Vulnerability in WAGO Device Sphere

CVE-2025-41672

certvde.com/en/advisories/VDE-

wago.csaf-tp.certvde.com/.well

##

cR0w@infosec.exchange at 2025-07-07T12:29:45.000Z ##

Oh, WAGO, at it again. 🥳

certvde.com/en/advisories/VDE-

sev:CRIT 10.0 - CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H

During installation, identical certificates are installed across all systems instead of unique ones, which are intended for JWT Token encryption and signing.

The system installs identical JWT signing certificates on all installations instead of generating unique ones. This allows anyone with the shared key to forge valid tokens and impersonate users across all systems, compromising security.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-53473
(7.3 HIGH)

EPSS: 0.04%

updated 2025-07-07T06:30:30

2 posts

Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers.

cR0w at 2025-07-07T12:36:07.955Z ##

Command injection and SSRF in Nimesa Backup and Recovery.

jvn.jp/en/jp/JVN88251376/

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.

nvd.nist.gov/vuln/detail/CVE-2

sev:MED 6.9 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers.

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-07T12:36:07.000Z ##

Command injection and SSRF in Nimesa Backup and Recovery.

jvn.jp/en/jp/JVN88251376/

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.

nvd.nist.gov/vuln/detail/CVE-2

sev:MED 6.9 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-48501
(9.8 CRITICAL)

EPSS: 0.23%

updated 2025-07-07T05:15:41.913000

3 posts

An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.

cR0w at 2025-07-07T12:36:07.955Z ##

Command injection and SSRF in Nimesa Backup and Recovery.

jvn.jp/en/jp/JVN88251376/

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.

nvd.nist.gov/vuln/detail/CVE-2

sev:MED 6.9 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers.

nvd.nist.gov/vuln/detail/CVE-2

##

offseq at 2025-07-07T06:01:07.328Z ##

🚨 CRITICAL: CVE-2025-48501 in Nimesa Backup & Recovery v2.3/2.4 enables remote OS command injection (CVSS 9.8). No auth needed; patch unavailable. Restrict access, monitor logs, and check with vendor. radar.offseq.com/threat/cve-20

##

cR0w@infosec.exchange at 2025-07-07T12:36:07.000Z ##

Command injection and SSRF in Nimesa Backup and Recovery.

jvn.jp/en/jp/JVN88251376/

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.

nvd.nist.gov/vuln/detail/CVE-2

sev:MED 6.9 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-7145
(7.2 HIGH)

EPSS: 0.27%

updated 2025-07-07T03:30:29

3 posts

ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gaining administrative access to the remote host.

cR0w at 2025-07-07T12:39:24.906Z ##

Post-auth command injection in ThreatSonar Anti-Ransomware.

twcert.org.tw/tw/cp-132-10231-

ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gaining administrative access to the remote host.

nvd.nist.gov/vuln/detail/CVE-2

##

offseq at 2025-07-07T03:01:14.228Z ##

⚠️ CVE-2025-7145: HIGH severity OS Command Injection in TeamT5 ThreatSonar Anti-Ransomware v3.6.0—attackers w/ intermediate privileges can execute arbitrary OS commands & gain admin access. No patch yet—implement access controls & monitor activity. radar.offseq.com/threat/cve-20

##

cR0w@infosec.exchange at 2025-07-07T12:39:24.000Z ##

Post-auth command injection in ThreatSonar Anti-Ransomware.

twcert.org.tw/tw/cp-132-10231-

ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gaining administrative access to the remote host.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-7100
(6.3 MEDIUM)

EPSS: 0.03%

updated 2025-07-07T03:30:29

2 posts

A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file /application/user/controller/Index.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7101
(6.3 MEDIUM)

EPSS: 0.04%

updated 2025-07-07T03:30:23

2 posts

A vulnerability was found in BoyunCMS up to 1.4.20. It has been classified as critical. This affects an unknown part of the file /install/install_ok.php of the component Configuration File Handler. The manipulation of the argument db_pass leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7099
(5.6 MEDIUM)

EPSS: 0.04%

updated 2025-07-07T00:30:24

2 posts

A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be

CVE-2025-7079
(3.7 LOW)

EPSS: 0.03%

updated 2025-07-06T15:30:36

4 posts

A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the component JWT Token Handler. The manipulation of the argument mySecret with the input bluebell-plus leads to use of hard-coded password. The attack may be initiated remotely. The complexity of an atta

0xThiebaut at 2025-07-06T16:03:16.286Z ##

@cR0w is that the correct CVE link? CVE-2025-7079 seems unrelated to Broadcom

##

cR0w at 2025-07-06T13:01:14.001Z ##

Since the latest release is two years old, I don't expect many people use this. But have another hardcoded JWT secret.

github.com/mao888/bluebell-plu

A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the component JWT Token Handler. The manipulation of the argument mySecret with the input bluebell-plus leads to use of hard-coded password. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

nvd.nist.gov/vuln/detail/CVE-2

##

0xThiebaut@infosec.exchange at 2025-07-06T16:03:16.000Z ##

@cR0w is that the correct CVE link? CVE-2025-7079 seems unrelated to Broadcom

##

cR0w@infosec.exchange at 2025-07-06T13:01:14.000Z ##

Since the latest release is two years old, I don't expect many people use this. But have another hardcoded JWT secret.

github.com/mao888/bluebell-plu

A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the component JWT Token Handler. The manipulation of the argument mySecret with the input bluebell-plus leads to use of hard-coded password. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-27446
(0 None)

EPSS: 0.01%

updated 2025-07-06T06:15:21.587000

1 posts

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

cR0w@infosec.exchange at 2025-07-06T12:40:20.000Z ##

PrivEsc in Apache APISIX.

lists.apache.org/thread/qwxnxo

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner).

Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges.
This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0.

Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-47228
(6.7 MEDIUM)

EPSS: 0.09%

updated 2025-07-05T03:30:32

1 posts

In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), shell injection in the SSH connection settings allows authenticated attackers to execute system commands via crafted HTTP requests.

1 repos

https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228

undercodenews@mastodon.social at 2025-07-07T08:02:58.000Z ##

ScriptCase Hit by Critical Zero-Day Exploits: Remote Access Without Login

Dangerous Vulnerabilities Expose ScriptCase Servers to Full Takeover Two severe vulnerabilities have been discovered in ScriptCase, a widely used low-code development platform for PHP applications. The flaws, tracked as CVE-2025-47227 and CVE-2025-47228, were revealed by cybersecurity researchers Alexandre Droullé and Alexandre Zanni. These bugs target the "Production Environment" module—known as…

undercodenews.com/scriptcase-h

##

CVE-2025-49809
(7.9 HIGH)

EPSS: 0.01%

updated 2025-07-04T15:31:08

1 posts

mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTR_PACKET environment variable. NOTE: mtr on macOS may often have Sudo rules, as an indirect consequence of Homebrew not installing setuid binaries.

cR0w@infosec.exchange at 2025-07-04T14:02:25.000Z ##

Never had this problem with traceroute. ducks

github.com/Homebrew/homebrew-c

sev:HIGH 7.8 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTR_PACKET environment variable. NOTE: mtr on macOS may often have Sudo rules, as an indirect consequence of Homebrew not installing setuid binaries.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-5372
(5.0 MEDIUM)

EPSS: 0.04%

updated 2025-07-04T06:30:28

1 posts

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographi

cR0w@infosec.exchange at 2025-07-04T13:14:05.000Z ##

Okay, this one's kind of funny. 1s and 0s are hard.

access.redhat.com/security/cve

sev:MED 5.0 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-53367
(0 None)

EPSS: 0.01%

updated 2025-07-03T22:15:21.140000

3 posts

DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer. This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-

opensourceopenmind@vivaldi.net at 2025-07-08T08:27:22.000Z ##

@pabloyoyoista Does anyone know if github.blog/security/vulnerabi applies to the #flatpak versions of #Papers or #Evince from #flathub?

##

cR0w@infosec.exchange at 2025-07-03T21:46:57.000Z ##

github.blog/security/vulnerabi

sev:HIGH 8.4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer. This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason. This issue has been patched in version 3.5.29.

cve.org/CVERecord?id=CVE-2025-

##

Ubuntu@activitypub.awakari.com at 2025-07-03T20:52:20.000Z ## CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to o...

#Security #Vulnerability #research #CVE #GitHub #Security #Lab #linux #open #source

Origin | Interest | Match ##

CVE-2025-49826
(7.5 HIGH)

EPSS: 0.01%

updated 2025-07-03T22:15:21.010000

1 posts

Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being se

cR0w@infosec.exchange at 2025-07-03T21:44:13.000Z ##

sev:HIGH cache poisoning vuln in next dot js.

github.com/vercel/next.js/secu

A vulnerability affecting Next.js has been addressed. It impacted versions >=15.1.0 <15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Edit to add the CVE: cve.org/CVERecord?id=CVE-2025-

##

CVE-2025-20309
(10.0 CRITICAL)

EPSS: 0.13%

updated 2025-07-03T15:23:28.870000

9 posts

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentia

LCSC_IE@infosec.exchange at 2025-07-04T11:18:44.000Z ##

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟒 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Ekco Ireland grows headcount to more than 1,000 with Adapt IT acquisition

siliconrepublic.com/business/e

2. Estonia’s cyber ambassador on digitalization, punching upwards and outing GRU spies

therecord.media/estonia-cyber-

3. Why cybersecurity should be seen as a business enabler, not a blocker

siliconrepublic.com/enterprise

4. South Korea penalises 'negligent' SK Telecom over major data leak

reuters.com/sustainability/boa

5. Russia jails man for 16 years over pro-Ukraine cyberattacks on critical infrastructure

therecord.media/russia-jails-m

6. CVE-2025-20309: Cisco Unified Communications Manager Static SSH Credentials Maximum Severity Vulnerability

sec.cloudapps.cisco.com/securi

7. Criminals Sending QR Codes in Phishing, Malware Campaigns

darkreading.com/endpoint-secur

8. Interpol identifies West Africa as potential new hotspot for cybercrime compounds

therecord.media/interpol-west-

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Allianz Seguros Spain Allegedly Breached – Database of 4.6 Million Offered for Sale

dailydarkweb.net/allianz-segur

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Taking SHELLTER: a commercial evasion framework abused in- the- wild

elastic.co/security-labs/takin

2. Threat Actors Recompile SonicWall's NetExtender to Include SilentRoute Backdoor

esentire.com/blog/threat-actor

3. RondoDox Unveiled: Breaking Down a New Botnet Threat

fortinet.com/blog/threat-resea

4. Hpingbot: A New Botnet Family Based on Pastebin Payload Delivery Chain and Hping3 DDoS Module

nsfocusglobal.com/hpingbot-a-n

5. 8 More Malicious Firefox Extensions: Exploiting Popular Game Recognition, Hijacking User Sessions, and Stealing OAuth Credentials

socket.dev/blog/8-more-malicio

6. Satori Threat Intelligence Alert: IconAds Conceals Source of Ad Fraud from Users

humansecurity.com/learn/blog/s

7. When Installers Turn Evil: The Pascal Script Behind Inno Setup Malware Campaign

splunk.com/en_us/blog/security

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. The Future of Threat Hunting and Investigation : ELK MCP Server

f0xypr0xy.medium.com/the-futur

2. Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones

techcrunch.com/2025/07/02/data

3. Researchers Defeat Content Security Policy Protections via HTML Injection

jorianwoltjer.com/blog/p/resea

4. Cl0p Ransomware’s Exfiltration Process Exposes RCE Vulnerability

infosec.exchange/@adulau/11477

5. Identifying and abusing Azure Arc for hybrid escalation and persistence

ibm.com/think/x-force/identify

6. Detecting Attacks in Real-Time with Falco and Grafana: A Beginner’s Guide

medium.com/@lavanyabhargava05/

7. How I Bypassed a WAF | Why Documentation matters | RGHX

rghx.medium.com/how-i-bypassed

8. One attack, one alert: From thousands of signals to one clear story

group-ib.com/blog/one-attack-o

9. Azure Honeypot with Live Traffic

medium.com/@rajesh.p3807/azure

10. dnSpy—Static Analysis of a .NET Malware

medium.com/@tarunrd77/dnspy-st

11. Part 3: In-Memory Execution Methods — How Malware Lives Rent-Free in Your System

medium.com/@cybertooths/part-3

12. Using Process Parent and Children Relationships for Detection and Hunting

knowyouradversary.ru/2025/07/1

13. Taking over 60k spyware user accounts with SQL injection

ericdaigle.ca/posts/taking-ove

14. Logwatcher’s Zenit #05: Beginner Mistakes in KQL

threathunter-chronicles.medium

15. Custom AnyDesk Abuse: A Stealthy Way Adversaries Take Over Your System

medium.com/@dgtrivedi4646/cust

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. The Evolving Threat Landscape: A Comprehensive Report on Scattered Spider

falconfeeds.io/blogs/scattered

2. Exclusive disclosure of the attack activities of the APT group NightEagle

github.com/RedDrip7/NightEagle

3. Iran's Intelligence Group 13

dti.domaintools.com/irans-inte

4. Beneath the Waves and Beyond: How Cybersecurity and Undersea Defense Stocks Are Rising to Meet Russia's Hybrid Threats

ainvest.com/news/beneath-waves

5. PLA’s Multi-Domain Reorganization: Cyberspace, Aerospace, and Information Support Forces Reshape the Threat Landscape

blog.alphahunt.io/plas-multi-d

6. First Quarter 2025 Ransomware Trends

optiv.com/insights/discover/bl

---

##

todb@infosec.exchange at 2025-07-03T14:21:53.000Z ##

Another static, unchangable root password in Cisco gear. In 2025.

cve.org/cverecord?id=CVE-2025-

#SecureByDesign

##

jos1264@social.skynetcloud.site at 2025-07-03T11:15:02.000Z ##

Cisco fixes maximum-severity flaw in enterprise unified comms platform (CVE-2025-20309) helpnetsecurity.com/2025/07/03 #communication #vulnerability #enterprise #Don'tmiss #Hotstuff #Cisco #News #SMBs

##

beyondmachines1@infosec.exchange at 2025-07-03T08:01:28.000Z ##

Cisco patches critical hardcoded credentials vulnerability in Unified Communications Manager

Cisco reports a maximum-severity vulnerability (CVE-2025-20309) in its Unified Communications Manager platforms caused by hardcoded static SSH credentials for the root account. The flaw allows unauthenticated remote attackers to gain complete administrative control over enterprise IP telephony networks.

**Obvious first step - isolate the SSH port of your CUCM and make it accessible from trusted networks only. Then VERY QUICLY update to versions 15.0.1.13010-1 through 15.0.1.13017-1, or apply the patches. Just isolating the CUCM isn't enough - the hardcoded password can be abused by malicious insiders, or other devices with access to trusted networks can be breached and the attackers can then breach CUCM.**
#cybersecurity #infosec #advisory #vulnerability
beyondmachines.net/event_detai

##

jos1264@social.skynetcloud.site at 2025-07-03T06:45:03.000Z ##

Cisco Issues Urgent Patch for Critical Unified CM Vulnerability (CVE-2025-20309) thecyberexpress.com/cisco-patc #TheCyberExpressNews #Ciscovulnerability #Vulnerabilities #TheCyberExpress #FirewallDaily #CVE202520309 #UnifiedCMSME #CyberNews #UnifiedCM

##

TomSellers@infosec.exchange at 2025-07-02T19:54:57.000Z ##

A note on the security advisory for CVE-2025-20309 in Cisco Unified Communications Manager which covers hard coded credentials - as I understand it this only impacts a special version of the product that users would have to contact TAC to get. If that is a correct understanding then I would expect this to limit the likelihood that organizations are running the impacted versions.

Quoting from the advisory:

This vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.

Note: ES releases are limited fix releases that are distributed only by the Cisco Technical Assistance Center (TAC).

Reference: sec.cloudapps.cisco.com/securi

#Security #CVE_2025_20309 #CVE202520309

##

cR0w@infosec.exchange at 2025-07-02T17:16:34.000Z ##

@_newick NIST hasn't published it then. It's also available here: cve.org/CVERecord?id=CVE-2025-

##

AAKL@infosec.exchange at 2025-07-02T17:12:35.000Z ##

New.

CVE-2025-20309 (critical): Cisco Unified Communications Manager Static SSH Credentials Vulnerability sec.cloudapps.cisco.com/securi

- Cisco Spaces Connector Privilege Escalation Vulnerability - CVE-2025-20308 sec.cloudapps.cisco.com/securi

- Cisco Enterprise Chat and Email Stored Cross-Site Scripting Vulnerability - CVE-2025-20310 sec.cloudapps.cisco.com/securi

- Cisco BroadWorks Application Delivery Platform Cross-Site Scripting Vulnerability - CVE-2025-20307 sec.cloudapps.cisco.com/securi @TalosSecurity #cybersecurity #infosec #Cisco

##

cR0w@infosec.exchange at 2025-07-02T16:40:18.000Z ##

Are you fucking kidding me Cisco? Again?

sec.cloudapps.cisco.com/securi

sev:CRIT 10.0 🥳

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-53104
(9.1 CRITICAL)

EPSS: 0.30%

updated 2025-07-03T15:14:12.767000

1 posts

gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussio

cR0w@infosec.exchange at 2025-07-01T19:10:05.000Z ##

Command injection in the discussion-to-slack workflow in gluestack-ui.

github.com/gluestack/gluestack

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussion title or body (e.g., $(curl ...)) to execute arbitrary shell commands on the Actions runner. This issue has been fixed in commit e6b4271 where the discussion-to-slack.yml workflow was removed. Users should remove the discussion-to-slack.yml workflow if using a fork or derivative of this repository.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-34064
(0 None)

EPSS: 0.05%

updated 2025-07-03T15:14:12.767000

1 posts

A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configura

cR0w@infosec.exchange at 2025-07-01T15:58:47.000Z ##

I don't understand the issue here. It's literally in the name of the company. 🥳

specterops.io/blog/2025/06/10/

sev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.0 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-37097
(7.5 HIGH)

EPSS: 0.05%

updated 2025-07-03T15:14:12.767000

1 posts

A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service

cR0w@infosec.exchange at 2025-07-01T15:03:07.000Z ##

Go hack more remote support shit.

support.hpe.com/hpesc/public/d

Multiple security vulnerabilities have been identified in HPE Insight Remote Support. These vulnerabilities could remotely allow a directory traversal, disclosure of information, or code execution.

CVE-2025-37097 ( sev:MED 7.5 - :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H )

CVE-2025-37098 ( sev:MED 6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVE-2025-37099 ( sev:CRIT 9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H )

##

CVE-2025-49483
(5.4 MEDIUM)

EPSS: 0.04%

updated 2025-07-03T15:14:12.767000

1 posts

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in tr069 modules allows Resource Leak Exposure. This vulnerability is associated with program files tr069/tr069_uci.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-49488
(5.4 MEDIUM)

EPSS: 0.04%

updated 2025-07-03T15:14:12.767000

1 posts

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router components allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pb.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-49482
(5.4 MEDIUM)

EPSS: 0.04%

updated 2025-07-03T15:14:12.767000

1 posts

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in tr069 modules allows Resource Leak Exposure. This vulnerability is associated with program files tr069/tr098.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-43713
(6.5 MEDIUM)

EPSS: 0.07%

updated 2025-07-03T15:13:53.147000

1 posts

ASNA Assist and ASNA Registrar before 2025-03-31 allow deserialization attacks against .NET remoting. These are Windows system services that support license key management and deprecated Windows network authentication. The services are implemented with .NET remoting and can be exploited via well-known deserialization techniques inherent in the technology. Because the services run with SYSTEM-level

cR0w@infosec.exchange at 2025-07-03T13:53:32.000Z ##

asna.com/en/kb/security-update

This vulnerability affects only our Windows-based products. DataGate for IBM i is not affected. Our Visual RPG (for .NET and Classic), Wings, Mobile RPG, and DataGate for SQL Server are affected by this vulnerability and need to be updated.

The vulnerability exists only on the network where Windows machines are running the affected ASNA Assist or ASNA Registrar services. The threat is present only when these vulnerable services are running and an untrusted user has Windows network access (e.g., via a malicious intruder or a disgruntled employee).

ASNA Assist and ASNA Registrar before 2025-03-31 allow deserialization attacks against .NET remoting. These are Windows system services that support license key management and deprecated Windows network authentication. The services are implemented with .NET remoting and can be exploited via well-known deserialization techniques inherent in the technology. Because the services run with SYSTEM-level rights, exploits can be crafted to achieve escalation of privilege and arbitrary code execution. This affects DataGate for SQL Server 17.0.36.0 and 16.0.89.0, DataGate Component Suite 17.0.36.0 and 16.0.89.0, DataGate Monitor 17.0.26.0 and 16.0.65.0, DataGate WebPak 17.0.37.0 and 16.0.90.0, Monarch for .NET 11.4.50.0 and 10.0.62.0, Encore RPG 4.1.36.0, Visual RPG .NET FW 17.0.37.0 and 16.0.90.0, Visual RPG .NET FW Windows Deployment 17.0.36.0 and 16.0.89.0, WingsRPG 11.0.38.0 and 10.0.95.0, Mobile RPG 11.0.35.0 and 10.0.94.0, Monarch Framework for .NET FW 11.0.36.0 and 10.0.89.0, Browser Terminal 17.0.37.0 and 16.0.90.0, Visual RPG Classic 5.2.7.0 and 5.1.17.0, Visual RPG Deployment 5.2.7.0 and 5.1.17.0, and DataGate Studio 17.0.38.0 and 16.0.104.0.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-49618
(5.8 MEDIUM)

EPSS: 0.03%

updated 2025-07-03T15:13:53.147000

1 posts

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

cR0w@infosec.exchange at 2025-07-03T12:58:15.000Z ##

Oh my.

linkedin.com/posts/gaetano-ces

sev:MED 5.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-53110
(0 None)

EPSS: 0.06%

updated 2025-07-03T15:13:53.147000

2 posts

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve.

LCSC_IE@infosec.exchange at 2025-07-03T11:49:00.000Z ##

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟑 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Microsoft to Lay Off 9,000 Employees, Affecting 4% of Workforce

reuters.com/business/world-at-

2. Hunters International Ransomware Shuts Down, Offers Free Decryptors to Victims

cyberinsider.com/hunters-inter

3. UK charity bank branded a 'disaster' after platform migration goes wrong

theregister.com/2025/07/03/uk_

4. Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign

ukfinance.org.uk/news-and-insi

5. Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

netcraft.com/blog/large-langua

6. Russia’s Cyber Warriors Assail NATO-Linked Private Companies

cepa.org/article/russias-cyber

7. US probes negotiator suspected of taking crypto ransomware money

cointelegraph.com/news/digital

8. Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen

iranwire.com/en/news/142915-cy

9. Spain arrests hackers who targeted politicians and journalists

policia.es/_es/comunicacion_pr

10. A third of organisations take more than 90 days to remediate threats

itsecurityguru.org/2025/07/02/

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Irish Eyecare software firm Ocuco investigating cyber-attack

thecurrency.news/articles/1946

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

unit42.paloaltonetworks.com/ap

2. Snake Keyloggers Exploit Java Tools to Bypass Security – Active IOCs

rewterz.com/threat-advisory/sn

3. Who are DragonForce Ransomware Group?

bridewell.com/insights/blogs/d

4. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

silentpush.com/blog/fake-marke

5. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

wiz.io/blog/exposed-jdwp-explo

6. Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools

arcticwolf.com/resources/blog/

7. North Korean APT Kimsuky aka Black Banshee – Active IOCs

rewterz.com/threat-advisory/no

8. DarkTortilla Malware – Active IOCs

rewterz.com/threat-advisory/da

---

𝐀𝐏𝐓 𝐈𝐎𝐂𝐬:

1. Lazarus: Source VT
yourdomainhost[.]store
api[.]yourdomainhost[.]store

2. Kimsuky: Source Validin
Accounts-mysticete[.]servepics[.]com
freedrive[.]servehttp[.]com
login-accounts[.]servehttp[.]com
myaccounts-profile[.]servehttp[.]com
mydocs[.]onthewifi[.]com
securedrive-mofa[.]servehttp[.]com
translate[.]onthewifi[.]com
undocs[.]ddns[.]net
undocs[.]myvnc[.]com
undocs[.]servehttp[.]com

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. Automating macOS Incident Response: DFIR-as-Code in Action Against AppleProcessHub

abstract.security/blog/automat

2. Using Staging Folders For Threat Hunting

knowyouradversary.ru/2025/07/1

3. PDFs: Portable documents, or perfect deliveries for phish?

blog.talosintelligence.com/pdf

4. EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

cymulate.com/blog/cve-2025-531

5. Yet another ZIP trick

hackarcana.com/article/yet-ano

6. Malware development trick 48: leveraging Office macros for malware. Simple VBA example.

cocomelonc.github.io/malware/2

7. Hijacked by a Text: Understanding and Preventing SIM Swapping Attack

bitsight.com/blog/what-is-sim-

8. CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

crowdstrike.com/en-us/blog/cro

9. DanaBot Lab Analysis

omer-secure.medium.com/danabot

10. ClickFix Campaign: How Clipboard Injection Leads to RAT Infection (Part 1)

h3xstone.medium.com/clickfix-c

11. Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules

any.run/cybersecurity-blog/rel

12. Inside Android Malware Development: Building a C2 Exfiltrator from the UI to the Network

medium.com/@lord_murak/inside-

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. Pro-Russian hacktivism: Shifting alliances, new groups and risks

intel471.com/blog/pro-russian-

2. Insider Risk Lessons from the DPRK IT Worker Crackdown

dtexsystems.com/blog/insider-r

3. Calling Out Russia: France’s Shift on Public Attribution

warontherocks.com/2025/07/call

4. Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

reco.ai/blog/coinbase-breach

---

##

_r_netsec@infosec.exchange at 2025-07-02T17:43:05.000Z ##

EscapeRoute: How we found 2 vulnerabilities in Anthropic’s Filesystem MCP Server (CVE-2025-53109 & CVE-2025-53110) cymulate.com/blog/cve-2025-531

##

CVE-2025-20307
(4.8 MEDIUM)

EPSS: 0.03%

updated 2025-07-03T15:13:53.147000

1 posts

A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform could allow an authenticated, remote attacker to to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit th

AAKL@infosec.exchange at 2025-07-02T17:12:35.000Z ##

New.

CVE-2025-20309 (critical): Cisco Unified Communications Manager Static SSH Credentials Vulnerability sec.cloudapps.cisco.com/securi

- Cisco Spaces Connector Privilege Escalation Vulnerability - CVE-2025-20308 sec.cloudapps.cisco.com/securi

- Cisco Enterprise Chat and Email Stored Cross-Site Scripting Vulnerability - CVE-2025-20310 sec.cloudapps.cisco.com/securi

- Cisco BroadWorks Application Delivery Platform Cross-Site Scripting Vulnerability - CVE-2025-20307 sec.cloudapps.cisco.com/securi @TalosSecurity #cybersecurity #infosec #Cisco

##

CVE-2025-52891
(6.5 MEDIUM)

EPSS: 0.05%

updated 2025-07-03T15:13:53.147000

1 posts

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched

cR0w@infosec.exchange at 2025-07-02T15:30:06.000Z ##

Whoopsie. DoS in ModSecurity.

github.com/owasp-modsecurity/M

sev:MED 6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg ), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-53106
(0 None)

EPSS: 0.04%

updated 2025-07-03T15:13:53.147000

1 posts

Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-c

cR0w@infosec.exchange at 2025-07-02T14:54:25.000Z ##

PrivEsc in Graylog.

github.com/Graylog2/graylog2-s

sev:HIGH 8.8 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation. This issue has been patched in versions 6.2.4 and 6.3.0-rc.2. A workaround involves disabling the respective configuration found in System > Configuration > Users > "Allow users to create personal access tokens".

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-34071
(0 None)

EPSS: 0.28%

updated 2025-07-03T15:13:53.147000

1 posts

A remote code execution vulnerability in GFI Kerio Control 9.4.5 allows attackers with administrative access to upload and execute arbitrary code through the firmware upgrade feature. The system upgrade mechanism accepts unsigned .img files, which can be modified to include malicious scripts within the upgrade.sh or disk image components. These modified upgrade images are not validated for authent

cR0w@infosec.exchange at 2025-07-02T14:36:42.000Z ##

IDK how old this disclosure is because once again, there's no date on the post. But the CVEs were just published today. Happy hacking.

ssd-disclosure.com/ssd-advisor

An analysis primarily of Kerio Control revealed a design flaw in the implementation of the communication with GFI AppManager, leading to an authentication bypass vulnerability in the product under audit. Once the authentication bypass is achieved, the attacker can cause the execution of arbitrary code and commands.

sev:CRIT 9.5 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H - nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H - nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H - nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-27024
(6.5 MEDIUM)

EPSS: 0.04%

updated 2025-07-03T15:13:53.147000

1 posts

Unrestricted access to OS file system in SFTP service in Infinera G42 version R6.1.3 allows remote authenticated users to read/write OS files via SFTP connections. Details: Account members of the Network Administrator profile can access the target machine via SFTP with the same credentials used for SSH CLI access and are able to read all files according to the OS permission instead of remain

CVE-2025-24330
(6.4 MEDIUM)

EPSS: 0.02%

updated 2025-07-03T15:13:53.147000

1 posts

Sending a crafted SOAP "provision" operation message PlanId field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause path traversal issue in Nokia Single RAN baseband software with versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. Beginning with release 24R1-SR 1.0 MP, the OAM ser

CVE-2025-27025
(8.8 HIGH)

EPSS: 0.36%

updated 2025-07-03T15:13:53.147000

1 posts

The target device exposes a service on a specific TCP port with a configured endpoint. The access to that endpoint is granted using a Basic Authentication method. The endpoint accepts also the PUT method and it is possible to write files on the target device file system. Files are written as root. Using Postman it is possible to perform a Directory Traversal attack and write files into any lo

CVE-2025-27021
(7.0 HIGH)

EPSS: 0.01%

updated 2025-07-03T15:13:53.147000

1 posts

The misconfiguration in the sudoers configuration of the operating system in Infinera G42 version R6.1.3 allows low privileged OS users to read/write physical memory via devmem command line tool. This could allow sensitive information disclosure, denial of service, and privilege escalation by tampering with kernel memory. Details: The output of "sudo -l" reports the presence of "devmem" com

CVE-2025-1708
(8.6 HIGH)

EPSS: 0.04%

updated 2025-07-03T12:35:09

1 posts

The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content.

PostgreSQL@activitypub.awakari.com at 2025-07-03T11:18:22.000Z ## CVE-2025-1708The application is vulnerable to SQL injection attacks. An attac... The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read...


Origin | Interest | Match ##

CVE-2025-53109(CVSS UNKNOWN)

EPSS: 0.06%

updated 2025-07-02T18:56:41

2 posts

Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 2025.7.1 to resolve. Thank you to Elad Beber (Cymulate) for reporting these issues.

LCSC_IE@infosec.exchange at 2025-07-03T11:49:00.000Z ##

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟑 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Microsoft to Lay Off 9,000 Employees, Affecting 4% of Workforce

reuters.com/business/world-at-

2. Hunters International Ransomware Shuts Down, Offers Free Decryptors to Victims

cyberinsider.com/hunters-inter

3. UK charity bank branded a 'disaster' after platform migration goes wrong

theregister.com/2025/07/03/uk_

4. Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign

ukfinance.org.uk/news-and-insi

5. Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

netcraft.com/blog/large-langua

6. Russia’s Cyber Warriors Assail NATO-Linked Private Companies

cepa.org/article/russias-cyber

7. US probes negotiator suspected of taking crypto ransomware money

cointelegraph.com/news/digital

8. Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen

iranwire.com/en/news/142915-cy

9. Spain arrests hackers who targeted politicians and journalists

policia.es/_es/comunicacion_pr

10. A third of organisations take more than 90 days to remediate threats

itsecurityguru.org/2025/07/02/

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Irish Eyecare software firm Ocuco investigating cyber-attack

thecurrency.news/articles/1946

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

unit42.paloaltonetworks.com/ap

2. Snake Keyloggers Exploit Java Tools to Bypass Security – Active IOCs

rewterz.com/threat-advisory/sn

3. Who are DragonForce Ransomware Group?

bridewell.com/insights/blogs/d

4. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

silentpush.com/blog/fake-marke

5. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

wiz.io/blog/exposed-jdwp-explo

6. Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools

arcticwolf.com/resources/blog/

7. North Korean APT Kimsuky aka Black Banshee – Active IOCs

rewterz.com/threat-advisory/no

8. DarkTortilla Malware – Active IOCs

rewterz.com/threat-advisory/da

---

𝐀𝐏𝐓 𝐈𝐎𝐂𝐬:

1. Lazarus: Source VT
yourdomainhost[.]store
api[.]yourdomainhost[.]store

2. Kimsuky: Source Validin
Accounts-mysticete[.]servepics[.]com
freedrive[.]servehttp[.]com
login-accounts[.]servehttp[.]com
myaccounts-profile[.]servehttp[.]com
mydocs[.]onthewifi[.]com
securedrive-mofa[.]servehttp[.]com
translate[.]onthewifi[.]com
undocs[.]ddns[.]net
undocs[.]myvnc[.]com
undocs[.]servehttp[.]com

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. Automating macOS Incident Response: DFIR-as-Code in Action Against AppleProcessHub

abstract.security/blog/automat

2. Using Staging Folders For Threat Hunting

knowyouradversary.ru/2025/07/1

3. PDFs: Portable documents, or perfect deliveries for phish?

blog.talosintelligence.com/pdf

4. EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

cymulate.com/blog/cve-2025-531

5. Yet another ZIP trick

hackarcana.com/article/yet-ano

6. Malware development trick 48: leveraging Office macros for malware. Simple VBA example.

cocomelonc.github.io/malware/2

7. Hijacked by a Text: Understanding and Preventing SIM Swapping Attack

bitsight.com/blog/what-is-sim-

8. CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

crowdstrike.com/en-us/blog/cro

9. DanaBot Lab Analysis

omer-secure.medium.com/danabot

10. ClickFix Campaign: How Clipboard Injection Leads to RAT Infection (Part 1)

h3xstone.medium.com/clickfix-c

11. Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules

any.run/cybersecurity-blog/rel

12. Inside Android Malware Development: Building a C2 Exfiltrator from the UI to the Network

medium.com/@lord_murak/inside-

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. Pro-Russian hacktivism: Shifting alliances, new groups and risks

intel471.com/blog/pro-russian-

2. Insider Risk Lessons from the DPRK IT Worker Crackdown

dtexsystems.com/blog/insider-r

3. Calling Out Russia: France’s Shift on Public Attribution

warontherocks.com/2025/07/call

4. Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

reco.ai/blog/coinbase-breach

---

##

_r_netsec@infosec.exchange at 2025-07-02T17:43:05.000Z ##

EscapeRoute: How we found 2 vulnerabilities in Anthropic’s Filesystem MCP Server (CVE-2025-53109 & CVE-2025-53110) cymulate.com/blog/cve-2025-531

##

CVE-2025-48928
(4.0 None)

EPSS: 8.89%

updated 2025-07-02T18:31:32

3 posts

The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025.

beyondmachines1@infosec.exchange at 2025-07-04T09:01:18.000Z ##

CISA warns of active attacks on Signal clone TeleMessage

CISA has issued a warning about two actively exploited vulnerabilities in TeleMessage TM SGNL, a Signal clone used by national security staffers and government officials, including a Spring Boot Actuator misconfiguration (CVE-2025-48927) that exposes memory dumps and a local access vulnerability (CVE-2025-48928) enabling password extraction.

**If you're using TeleMessage TM SGNL, start patching it today, because it's being actively exploited. Alternatively, stop using the software entirely. Switch back to standard Signal or another approved properly encrypted messaging app since TM SGNL has already been breached and continues to be attacked.**
#cybersecurity #infosec #attack #activeattack
beyondmachines.net/event_detai

##

AAKL@infosec.exchange at 2025-07-01T19:28:38.000Z ##

CISA has added to the KEV catalogue:

- CVE-2025-48927: TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability cve.org/CVERecord?id=CVE-2025-

- CVE-2025-48928: TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability cve.org/CVERecord?id=CVE-2025-

From yesterday:

- CVE-2025-6543: Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2025- #CISA #cybersecurity #infosec

##

cisakevtracker@mastodon.social at 2025-07-01T18:00:53.000Z ##

CVE ID: CVE-2025-48928
Vendor: TeleMessage
Product: TM SGNL
Date Added: 2025-07-01
Notes: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue use of the product. ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-20308
(6.0 MEDIUM)

EPSS: 0.02%

updated 2025-07-02T18:30:42

1 posts

A vulnerability in Cisco Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. This vulnerability is due to insufficient restrictions during the execution of specific CLI commands. An attacker could exploit this vulnerability by logging in to the Cisco Spaces Connector CLI as the spacesadmin u

AAKL@infosec.exchange at 2025-07-02T17:12:35.000Z ##

New.

CVE-2025-20309 (critical): Cisco Unified Communications Manager Static SSH Credentials Vulnerability sec.cloudapps.cisco.com/securi

- Cisco Spaces Connector Privilege Escalation Vulnerability - CVE-2025-20308 sec.cloudapps.cisco.com/securi

- Cisco Enterprise Chat and Email Stored Cross-Site Scripting Vulnerability - CVE-2025-20310 sec.cloudapps.cisco.com/securi

- Cisco BroadWorks Application Delivery Platform Cross-Site Scripting Vulnerability - CVE-2025-20307 sec.cloudapps.cisco.com/securi @TalosSecurity #cybersecurity #infosec #Cisco

##

CVE-2025-20310
(6.1 MEDIUM)

EPSS: 0.04%

updated 2025-07-02T18:30:37

1 posts

A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafte

AAKL@infosec.exchange at 2025-07-02T17:12:35.000Z ##

New.

CVE-2025-20309 (critical): Cisco Unified Communications Manager Static SSH Credentials Vulnerability sec.cloudapps.cisco.com/securi

- Cisco Spaces Connector Privilege Escalation Vulnerability - CVE-2025-20308 sec.cloudapps.cisco.com/securi

- Cisco Enterprise Chat and Email Stored Cross-Site Scripting Vulnerability - CVE-2025-20310 sec.cloudapps.cisco.com/securi

- Cisco BroadWorks Application Delivery Platform Cross-Site Scripting Vulnerability - CVE-2025-20307 sec.cloudapps.cisco.com/securi @TalosSecurity #cybersecurity #infosec #Cisco

##

CVE-2025-24334
(3.3 LOW)

EPSS: 0.01%

updated 2025-07-02T15:31:43

1 posts

The Nokia Single RAN baseband software earlier than 23R2-SR 1.0 MP can be made to reveal the exact software release version by sending a specific HTTP POST request through the Mobile Network Operator (MNO) internal RAN management network.

CVE-2025-24333
(6.4 MEDIUM)

EPSS: 0.02%

updated 2025-07-02T15:31:43

1 posts

Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file. This issue has been corrected starting from release 24R1-S

CVE-2025-24332
(7.1 HIGH)

EPSS: 0.02%

updated 2025-07-02T15:31:43

1 posts

Nokia Single RAN AirScale baseband allows an authenticated administrative user access to all physical boards after performing a single login to the baseband system board. The baseband does not re-authenticate the user when they connect from the baseband system board to the baseband capacity boards using the internal bsoc SSH service, which is available only internally within the baseband and throu

CVE-2025-24335
(2.0 LOW)

EPSS: 0.02%

updated 2025-07-02T15:31:43

1 posts

Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain a SOAP message input validation flaw, which in theory could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service. No practical exploit has been detected for this flaw. However, the issue has been corrected starting from release 24R1-SR 2.1 MP by adding sufficient input validation

CVE-2025-24331
(6.4 MEDIUM)

EPSS: 0.01%

updated 2025-07-02T15:31:38

1 posts

The Single RAN baseband OAM service is intended to run as an unprivileged service. However, it initially starts with root privileges and assigns certain capabilities before dropping to an unprivileged level. The capabilities retained from the root period are considered extensive after the privilege drop and, in theory, could potentially allow actions beyond the intended scope of the OAM service. T

CVE-2025-24329
(6.4 MEDIUM)

EPSS: 0.02%

updated 2025-07-02T15:31:38

1 posts

Sending a crafted SOAP "provision" operation message archive field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause path traversal issue in Nokia Single RAN baseband software with versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. Beginning with release 24R1-SR 1.0 MP, the OAM se

CVE-2025-24328
(4.2 MEDIUM)

EPSS: 0.01%

updated 2025-07-02T15:31:37

1 posts

Sending a crafted SOAP "set" operation message within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause Nokia Single RAN baseband OAM service component restart with software versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. The OAM service component restarts automatically after the stac

CVE-2025-34072(CVSS UNKNOWN)

EPSS: 0.08%

updated 2025-07-02T15:30:44

1 posts

A data exfiltration vulnerability exists in Anthropic’s deprecated Slack Model Context Protocol (MCP) Server via automatic link unfurling. When an AI agent using the Slack MCP Server processes untrusted data, it can be manipulated to generate messages containing attacker-crafted hyperlinks embedding sensitive data. Slack’s link preview bots (e.g., Slack-LinkExpanding, Slackbot, Slack-ImgProxy) wil

CVE-2025-34069(CVSS UNKNOWN)

EPSS: 0.14%

updated 2025-07-02T15:30:44

1 posts

An authentication bypass vulnerability exists in GFI Kerio Control 9.4.5 due to insecure default proxy configuration and weak access control in the GFIAgent service. The non-transparent proxy on TCP port 3128 can be used to forward unauthenticated requests to internal services such as GFIAgent, bypassing firewall restrictions and exposing internal management endpoints. This enables unauthenticated

cR0w@infosec.exchange at 2025-07-02T14:36:42.000Z ##

IDK how old this disclosure is because once again, there's no date on the post. But the CVEs were just published today. Happy hacking.

ssd-disclosure.com/ssd-advisor

An analysis primarily of Kerio Control revealed a design flaw in the implementation of the communication with GFI AppManager, leading to an authentication bypass vulnerability in the product under audit. Once the authentication bypass is achieved, the attacker can cause the execution of arbitrary code and commands.

sev:CRIT 9.5 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H - nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H - nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H - nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-34070(CVSS UNKNOWN)

EPSS: 0.12%

updated 2025-07-02T15:30:37

1 posts

A missing authentication vulnerability in the GFIAgent component of GFI Kerio Control 9.4.5 allows unauthenticated remote attackers to perform privileged operations. The GFIAgent service, responsible for integration with GFI AppManager, exposes HTTP services on ports 7995 and 7996 without proper authentication. The /proxy handler on port 7996 allows arbitrary forwarding to administrative endpoints

cR0w@infosec.exchange at 2025-07-02T14:36:42.000Z ##

IDK how old this disclosure is because once again, there's no date on the post. But the CVEs were just published today. Happy hacking.

ssd-disclosure.com/ssd-advisor

An analysis primarily of Kerio Control revealed a design flaw in the implementation of the communication with GFI AppManager, leading to an authentication bypass vulnerability in the product under audit. Once the authentication bypass is achieved, the attacker can cause the execution of arbitrary code and commands.

sev:CRIT 9.5 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H - nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H - nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H - nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-48379
(7.1 HIGH)

EPSS: 0.01%

updated 2025-07-02T14:20:25

1 posts

There is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. * Unclear how large the potential write could be. It is likely limited by process segfault, so it's not necessarily determinist

cR0w@infosec.exchange at 2025-07-01T19:11:54.000Z ##

BoF in Python Pillow.

github.com/python-pillow/Pillo

sev:HIGH 7.1 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-27022
(7.5 HIGH)

EPSS: 0.06%

updated 2025-07-02T12:33:13

1 posts

Path traversal in WebGUI HTTP endpoint in Infinera G42 version R6.1.3 allows remote authenticated users to download all OS files via HTTP requests. Details: Lack or insufficient validation of user-supplied input allows authenticated users to access all files on the target machine file system that are readable to the user account used to run the httpd service.

CVE-2025-27023
(6.5 MEDIUM)

EPSS: 0.07%

updated 2025-07-02T12:32:17

1 posts

Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version R6.1.3 allows remote authenticated users to read all OS files via crafted CLI commands. Details: The web interface based management of the Infinera G42 appliance enables the feature of executing a restricted set of commands. This feature also offers the option to execute a script-file already present on the target

CVE-2024-13786
(9.8 CRITICAL)

EPSS: 0.11%

updated 2025-07-02T09:30:34

1 posts

The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless anot

AAKL@infosec.exchange at 2025-07-02T15:12:43.000Z ##

EUVD: Critical CVE-2024-13786: the education theme for WordPress is vulnerable to PHP Object Injection in all versions euvd.enisa.europa.eu/vulnerabi

- CVE-2025-4689: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to RCE Local File Inclusion euvd.enisa.europa.eu/vulnerabi @euvdfeed #cybersecurity #infosec #WordPress

##

CVE-2025-4689
(9.8 CRITICAL)

EPSS: 0.15%

updated 2025-07-02T06:30:41

1 posts

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers

AAKL@infosec.exchange at 2025-07-02T15:12:43.000Z ##

EUVD: Critical CVE-2024-13786: the education theme for WordPress is vulnerable to PHP Object Injection in all versions euvd.enisa.europa.eu/vulnerabi

- CVE-2025-4689: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to RCE Local File Inclusion euvd.enisa.europa.eu/vulnerabi @euvdfeed #cybersecurity #infosec #WordPress

##

CVE-2025-53107
(7.5 HIGH)

EPSS: 0.15%

updated 2025-07-01T23:52:06

1 posts

### Summary A command injection vulnerability exists in the `git-mcp-server` MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell co

cR0w@infosec.exchange at 2025-07-01T19:07:39.000Z ##

Go hack more MCP shit.

github.com/cyanheads/git-mcp-s

sev:HIGH 7.5 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

@cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. This issue has been patched in version 2.1.5.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-32463
(9.4 CRITICAL)

EPSS: 0.01%

updated 2025-07-01T21:33:31

16 posts

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

27 repos

https://github.com/zinzloun/CVE-2025-32463

https://github.com/Adonijah01/cve-2025-32463-lab

https://github.com/SysMancer/CVE-2025-32463

https://github.com/san8383/CVE-2025-32463

https://github.com/robbert1978/CVE-2025-32463_POC

https://github.com/ill-deed/CVE-2025-32463_illdeed

https://github.com/nflatrea/CVE-2025-32463

https://github.com/4f-kira/CVE-2025-32463

https://github.com/yeremeu/CVE-2025-32463_chwoot

https://github.com/pr0v3rbs/CVE-2025-32463_chwoot

https://github.com/junxian428/CVE-2025-32463

https://github.com/Mikivirus0/sudoinjection

https://github.com/K3ysTr0K3R/CVE-2025-32463-EXPLOIT

https://github.com/MAAYTHM/CVE-2025-32462_32463-Lab

https://github.com/B1ack4sh/Blackash-CVE-2025-32463

https://github.com/kh4sh3i/CVE-2025-32463

https://github.com/mirchr/CVE-2025-32463-sudo-chwoot

https://github.com/pevinkumar10/CVE-2025-32463

https://github.com/neko205-mx/CVE-2025-32463_Exploit

https://github.com/SkylerMC/CVE-2025-32463

https://github.com/0xAkarii/CVE-2025-32463

https://github.com/FreeDurok/CVE-2025-32463-PoC

https://github.com/K1tt3h/CVE-2025-32463-POC

https://github.com/Chocapikk/CVE-2025-32463-lab

https://github.com/zhaduchanhzz/CVE-2025-32463_POC

https://github.com/CIA911/sudo_patch_CVE-2025-32463

https://github.com/cyberpoul/CVE-2025-32463-POC

ariadne@treehouse.systems at 2025-07-07T21:46:56.000Z ##

Alpine is not vulnerable to the latest sudo CVE, CVE-2025-32463. Exploitation requires a system which implements NSS (loadable plugins for username and hostname resolution), which musl does not.

##

siderolabs@hachyderm.io at 2025-07-07T08:01:26.000Z ##

⚠️ New Critical Linux CVE ⚠️

Unless you’re using Talos Linux.

In which case, you're fully secure. Carry on, and let your minimal, immutable OS keep you safe from CVE-2025-32463 and CVE-2025-32462.

#CVE2025 #Linux #Kubernetes #CyberSecurity

##

ariadne@treehouse.systems at 2025-07-07T21:46:56.000Z ##

Alpine is not vulnerable to the latest sudo CVE, CVE-2025-32463. Exploitation requires a system which implements NSS (loadable plugins for username and hostname resolution), which musl does not.

##

benzogaga33@mamot.fr at 2025-07-04T15:40:03.000Z ##

Linux – Obtenez un accès root avec ces deux failles dans sudo : CVE-2025-32462 et CVE-2025-32463 it-connect.fr/linux-acces-root #ActuCybersécurité #Vulnérabilités #Cybersécurité #Linux

##

knoppix95@mastodon.social at 2025-07-04T15:33:38.000Z ##

A critical Linux vulnerability (CVE-2025-32463) in Sudo lets any local unprivileged user gain root via the --chroot (-R) option

🔒 Affects default configs on Ubuntu, Fedora & others — no Sudo rules needed

🛠️ Fix: Update to Sudo 1.9.17p1+ (no workarounds)
👀 CVSS: 9.8 (Critical)

Highlights persistent risks in open-source privilege handling 🧩

cybersecuritynews.com/linux-su

#Linux #Sudo #FOSS #CyberSecurity #InfoSec #OpenSource #Vulnerability #Root #Exploit #SysAdmin #DevSecOps

##

b9AcE@todon.eu at 2025-07-04T10:42:08.000Z ##

It is important you make sure you keep your software up to date on all devices where you can.

In this case, the core tool "sudo" found on most Linux systems had a bug with CVSS severity score 9.3 (where 10 is worst) was found, allowing local users to become "root" (the most, fully privileged user) and has fixed versions being distributed as part of operating system updates.
sudo.ws/security/advisories/ch
cve.org/CVERecord?id=CVE-2025-
thehackernews.com/2025/07/crit

##

jos1264@social.skynetcloud.site at 2025-07-02T17:45:03.000Z ##

CVE-2025-32463 and CVE-2025-32462: Sudo Local Privilege Escalation Vulnerabilities Threaten Linux Environments – Source: socprime.com ciso2ciso.com/cve-2025-32463-a #rssfeedpostgeneratorecho #PrivilageEscalation #CyberSecurityNews #CVE-2025-32462 #CVE-2025-32463 #Latestthreats #Vulnerability #socprimecom #socprime #Blog #CVE

##

benzogaga33@mamot.fr at 2025-07-02T16:10:02.000Z ##

Local Privilege Escalation to Root via Sudo Chroot in Linux github.com/kh4sh3i/CVE-2025-32

##

Ubuntu@activitypub.awakari.com at 2025-07-02T03:13:02.000Z ## CVE-2025-32463 Privilege Escalation in SUDO Triggers Urgent Linux Patching Threat Group: General Operating System Threat Threat Type: Privilege Escalation Vulnerabilities Exploited Vulnerabilities:...

#Linux #CVE #SUDO #News #Articles

Origin | Interest | Match ##

nixCraft@mastodon.social at 2025-07-01T21:04:36.000Z ##

Vulnerability Advisory: Sudo chroot Elevation of Privilege stratascale.com/vulnerability-

#linux #unix

##

Haydar@social.tchncs.de at 2025-07-01T20:54:11.000Z ##

Kurzer Check bei mir, welche Distros die kritische #sudo Lücke CVE-2025-32463 bis jetzt behoben haben:

- Alpine 3.22: OK
- Arch Linux: OK
- Debian 12 / Devuan 5: OK
- Fedora 42: FAIL
- Void Linux: OK

#itsec

##

cR0w@infosec.exchange at 2025-07-01T15:14:21.000Z ##

I think I boosted information about these sudo EoP vulns yesterday but in case I didn't, here's some basic info on them.

stratascale.com/vulnerability-

sev:LOW 2.8 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

nvd.nist.gov/vuln/detail/CVE-2

stratascale.com/vulnerability-

sev:CRIT 9.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

nvd.nist.gov/vuln/detail/CVE-2

##

Ubuntu@activitypub.awakari.com at 2025-07-01T12:58:55.000Z ## Sudo local privilege escalation vulnerabilities fixed (CVE-2025-32462, CVE-2025-32463) If you haven’t recently updated the Sudo utility on your Linux box(es), you should do so now, to patch two l...

#Don't #miss #Hot #stuff #News #Debian #Linux #macOS #Stratascale #SUSE #Ubuntu

Origin | Interest | Match ##

jos1264@social.skynetcloud.site at 2025-07-01T13:55:02.000Z ##

Sudo local privilege escalation vulnerabilities fixed (CVE-2025-32462, CVE-2025-32463) helpnetsecurity.com/2025/07/01 #vulnerability #Stratascale #Don'tmiss #Hotstuff #Debian #Ubuntu #Linux #macOS #News #SUSE

##

beyondmachines1@infosec.exchange at 2025-07-01T13:01:21.000Z ##

Critical Sudo vulnerabilities enable local privilege escalation to root

The Stratascale Cyber Research Unit are reporting two vulnerabilities in the Sudo utility, including a critical flaw (CVE-2025-32463) that allows unprivileged users to escalate to root privileges through the chroot option by exploiting NSS library loading mechanisms.

**This is a nasty flaw. If you have multiple user roles on your linux systems or are running services as non-root, make sure to update your Linux systems' Sudo utility to version 1.9.17p1 or later. The exploit vector is possible if someone already has local access to the system, which can either be through direct credentials or through breaching a vulnerable service that's running as non-root.**
#cybersecurity #infosec #advisory #vulnerability
beyondmachines.net/event_detai

##

jonny@neuromatch.social at 2025-07-01T06:22:24.000Z ##

Maybe controversial, but I think it is bad to do this
stratascale.com/vulnerability-

##

CVE-2025-37099
(9.8 CRITICAL)

EPSS: 0.23%

updated 2025-07-01T18:30:47

1 posts

A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.

cR0w@infosec.exchange at 2025-07-01T15:03:07.000Z ##

Go hack more remote support shit.

support.hpe.com/hpesc/public/d

Multiple security vulnerabilities have been identified in HPE Insight Remote Support. These vulnerabilities could remotely allow a directory traversal, disclosure of information, or code execution.

CVE-2025-37097 ( sev:MED 7.5 - :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H )

CVE-2025-37098 ( sev:MED 6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVE-2025-37099 ( sev:CRIT 9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H )

##

CVE-2025-6543
(9.8 CRITICAL)

EPSS: 16.12%

updated 2025-07-01T18:30:34

3 posts

Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

3 repos

https://github.com/grupooruss/Citrix-cve-2025-6543

https://github.com/seabed-atavism/CVE-2025-6543

https://github.com/abrewer251/CVE-2025-6543_CitrixNetScaler_PoC

gwire@mastodon.social at 2025-07-07T12:35:37.000Z ##

When the number of vulnerable IPs ticks up by a small number, I'm assuming they're honeypots?

(Graph is vulnerable Citrix NetScaler endpoints in the UK.)

dashboard.shadowserver.org/sta

##

AAKL@infosec.exchange at 2025-07-01T19:28:38.000Z ##

CISA has added to the KEV catalogue:

- CVE-2025-48927: TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability cve.org/CVERecord?id=CVE-2025-

- CVE-2025-48928: TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability cve.org/CVERecord?id=CVE-2025-

From yesterday:

- CVE-2025-6543: Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2025- #CISA #cybersecurity #infosec

##

GossiTheDog@cyberplace.social at 2025-07-01T09:36:40.000Z ##

Citrix blog on CVE-2025-5777 and some other ones netscaler.com/blog/news/netsca

##

CVE-2025-6554
(8.1 HIGH)

EPSS: 6.66%

updated 2025-07-01T15:32:11

26 posts

Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

4 repos

https://github.com/windz3r0day/CVE-2025-6554

https://github.com/gmh5225/CVE-2025-6554-2

https://github.com/PwnToday/CVE-2025-6554

https://github.com/rbaicba/CVE-2025-6554

undercodenews@mastodon.social at 2025-07-07T08:07:21.000Z ##

Google Scrambles to Patch Actively Exploited Chrome Zero-Day Vulnerability

A New Threat Surfaces in the Chrome Browser The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a severe vulnerability in Google Chrome—CVE-2025-6554—to its Known Exploited Vulnerabilities (KEV) catalog, marking it as a critical security issue currently being leveraged by malicious actors. This flaw, found in the V8 JavaScript and WebAssembly engine, represents…

undercodenews.com/google-scram

##

wasm@activitypub.awakari.com at 2025-07-01T08:55:00.000Z ## Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists...


Origin | Interest | Match ##

linux@activitypub.awakari.com at 2025-07-05T19:19:23.000Z ## גוגל משחררת עדכון לכרום הסוגר חולשה המנוצלת בפועל ע"י תוקפים בעולם (CVE-2025-6554) הגרסאות התקינות הן: - 138.0.7204.96/.97...


Origin | Interest | Match ##

Android@activitypub.awakari.com at 2025-07-03T12:27:24.000Z ## Minor update(5) for Vivaldi Android Browser 7.4 This update includes backported security patch from the Chromium upstream (CVE-2025-6554). Head to the Google Play Store and download the browser. Al...

#Android #Android #Updates

Origin | Interest | Match ##

wasm@activitypub.awakari.com at 2025-07-03T21:47:14.000Z ## Chrome Zero-Day Exploit: CVE-2025-6554 A critical Chrome zero-day exploit (CVE-2025-6554) targets the V8 engine and has been exploited in the wild. Learn how this Chrome vulnerability works and how...

#Threat #Analysis #Malware #Research

Origin | Interest | Match ##

authentic8@mastodon.social at 2025-07-03T20:11:35.000Z ##

🚨 The Cyber Intel Brief is live! 🚨

This week, suspected nation-state threat actors wasted no time exploiting a Chrome zero-day (CVE-2025-6554). Iranian cyber operations are escalating, AI-enhanced malware evasion techniques emerge and Scattered Spider is hitting aviation.

Check out the full breakdown and analysis 👇
bit.ly/3Tnumh3

#zeroday #Iran #cyberthreats #cyberthreatintelligence #cybersecurity

##

jos1264@social.skynetcloud.site at 2025-07-03T02:25:02.000Z ##

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025 – Source: securityaffairs.com ciso2ciso.com/cve-2025-6554-is #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #hacking #Chrome

##

cR0w@infosec.exchange at 2025-07-02T21:32:31.000Z ##

Supposed PoC: github.com/DarkNavySecurity/Po

##

cisakevtracker@mastodon.social at 2025-07-02T18:00:48.000Z ##

CVE ID: CVE-2025-6554
Vendor: Google
Product: Chromium V8
Date Added: 2025-07-02
Notes: chromereleases.googleblog.com/ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

AAKL@infosec.exchange at 2025-07-02T17:25:36.000Z ##

CISA has added to the KEV catalogue.

- CVE-2025-6554: Google Chromium V8 Type Confusion Vulnerability cve.org/CVERecord?id=CVE-2025- #CISA #Google #cybersecurity #infosec

##

wasm@activitypub.awakari.com at 2025-07-02T10:52:57.000Z ## CVE-2025-6554: Chrome’s New Zero-Day Under Active Exploitation CVE-2025-6554: Chrome’s New Zero-Day Under Active Exploitation A high-severity security flaw in Google Chrome is under active expl...

#Cyber #News

Origin | Interest | Match ##

wasm@activitypub.awakari.com at 2025-07-02T05:21:42.000Z ## Google Issues Emergency Fix for Actively Exploited Chrome Zero-Day – CVE-2025-6554 Google has released another emergency security update for its Chrome browser, addressing a high-severity zero-da...

#Security #Research #and #Intelligence

Origin | Interest | Match ##

wasm@activitypub.awakari.com at 2025-07-02T08:21:00.000Z ## CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025 Google released security patches to address a Chrome vulnerability, tracked as CVE-2025-6554, for which an exploit exists in th...

#Breaking #News #Hacking #Chrome #information #security #news #IT #Information #Security #Pierluigi

Origin | Interest | Match ##

patrickcmiller@infosec.exchange at 2025-07-02T03:12:04.000Z ##

Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update thehackernews.com/2025/07/goog

##

foxs@嘟文.com at 2025-07-02T01:59:50.000Z ##

CVE-2025-6554
该漏洞潜藏于Chrome核心引擎中,只需访问恶意网页,攻击者就能远程控制你的电脑。   
网络安全研究人员证实,该漏洞正在真实攻击中被利用,企业数据和个人隐私面临裸奔风险。
@board

##

jos1264@social.skynetcloud.site at 2025-07-01T23:25:02.000Z ##

Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update – Source:thehackernews.com ciso2ciso.com/chrome-zero-day- #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #Chrome

##

linux@activitypub.awakari.com at 2025-07-01T15:12:07.000Z ## Update your Chrome to fix new actively exploited zero-day vulnerability Google has released an urgent update for the Chrome browser to patch a vulnerability which has already been exploited. Google...

#Exploits #and #vulnerabilities #News #chrome #CVE-2025-6554

Origin | Interest | Match ##

cR0w@infosec.exchange at 2025-07-01T16:06:28.000Z ##

@beyondmachines1 I know it's pedantic, but the Chrome advisory does not state that it is in fact EITW. It says that there is an exploit in the wild, but not that it's known to have been used successfully.

Google is aware that an exploit for CVE-2025-6554 exists in the wild.

##

beyondmachines1@infosec.exchange at 2025-07-01T16:01:22.000Z ##

Google patches actively exploited flaw in Chrome

Google has patched an actively exploited zero-day vulnerability (CVE-2025-6554) in Chrome's V8 JavaScript engine that allows remote attackers to perform arbitrary read/write operations through malicious HTML pages. The flaw was reported by Google's Threat Analysis Group, which typically investigates government-backed attacks, suggesting potential state-sponsored exploitation.

**One more urgent patch for Chrome - Google is again patching an actively exploited flaw in Chrome, and exploitation is just a visit to a malicious site. DONT WAIT! Patch all your Chrome and Chromium browsers (Edge, Opera, Brave, Vivaldi...). Updating the browser is easy, all your tabs reopen after the patch.**
#cybersecurity #infosec #attack #activeexploit
beyondmachines.net/event_detai

##

benzogaga33@mamot.fr at 2025-07-01T15:40:01.000Z ##

Google Chrome 138 – CVE-2025-6554 : patchez pour vous protéger de cette nouvelle faille zero-day it-connect.fr/google-chrome-13 #ActuCybersécurité #Cybersécurité #Vulnérabilité #googlechrome

##

AAKL@infosec.exchange at 2025-07-01T14:30:28.000Z ##

Updated today:

NIST: High severity CVE-2025-6554 nvd.nist.gov/vuln/detail/CVE-2

The Hacker New: Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update thehackernews.com/2025/07/goog @thehackernews #Google #cybersecurity #Infosec #Chrome #zeroday

##

wasm@activitypub.awakari.com at 2025-07-01T08:55:00.000Z ## Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists...


Origin | Interest | Match ##

jbhall56@infosec.exchange at 2025-07-01T12:41:45.000Z ##

"Google is aware that an exploit for CVE-2025-6554 exists in the wild," the browser vendor said in a security advisory issued on Monday. bleepingcomputer.com/news/secu

##

jos1264@social.skynetcloud.site at 2025-07-01T10:40:02.000Z ##

Google patches actively exploited Chrome (CVE‑2025‑6554) helpnetsecurity.com/2025/07/01 #securityupdate #MicrosoftEdge #Don'tmiss #Hotstuff #Vivaldi #Chrome #0-day #Brave #Opera #News

##

wasm@activitypub.awakari.com at 2025-07-01T10:04:31.000Z ## Google patches actively exploited Chrome (CVE‑2025‑6554) Google has released a security update for Chrome to address a zero‑day vulnerability (CVE-2025-6554) that its Threat Analysis Group (T...

#Don't #miss #Hot #stuff #News #0-day #Brave #Chrome #Microsoft #Edge #Opera

Origin | Interest | Match ##

cR0w@infosec.exchange at 2025-06-30T21:39:13.000Z ##

Chrome patched a sev:HIGH CVE with an ITW exploit.

Google is aware that an exploit for CVE-2025-6554 exists in the wild.

chromereleases.googleblog.com/

##

CVE-2025-37098
(7.5 HIGH)

EPSS: 0.06%

updated 2025-07-01T15:31:16

1 posts

A path traversal vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.

cR0w@infosec.exchange at 2025-07-01T15:03:07.000Z ##

Go hack more remote support shit.

support.hpe.com/hpesc/public/d

Multiple security vulnerabilities have been identified in HPE Insight Remote Support. These vulnerabilities could remotely allow a directory traversal, disclosure of information, or code execution.

CVE-2025-37097 ( sev:MED 7.5 - :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H )

CVE-2025-37098 ( sev:MED 6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVE-2025-37099 ( sev:CRIT 9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H )

##

CVE-2025-34060(CVSS UNKNOWN)

EPSS: 0.27%

updated 2025-07-01T15:31:16

1 posts

A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing

cR0w@infosec.exchange at 2025-07-01T14:58:44.000Z ##

Perfect 10 in Monero forums. 🥳

swap.gs/posts/monero-forums/

github.com/monero-project/mone

sev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-34063(CVSS UNKNOWN)

EPSS: 0.11%

updated 2025-07-01T15:31:10

1 posts

A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstre

cR0w@infosec.exchange at 2025-07-01T15:58:47.000Z ##

I don't understand the issue here. It's literally in the name of the company. 🥳

specterops.io/blog/2025/06/10/

sev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.0 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-49491
(5.4 MEDIUM)

EPSS: 0.04%

updated 2025-07-01T12:31:05

1 posts

Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (traffic_stat modules) allows Resource Leak Exposure. This vulnerability is associated with program files traffic_stat/traffic_service/traffic_service.C. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-49489
(5.4 MEDIUM)

EPSS: 0.04%

updated 2025-07-01T12:31:05

1 posts

Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (con_mgr components) allows Resource Leak Exposure. This vulnerability is associated with program files con_mgr/dialer_task.C. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-49490
(5.4 MEDIUM)

EPSS: 0.04%

updated 2025-07-01T12:31:05

1 posts

Resource leak vulnerability in ASR180x in router allows Resource Leak Exposure. This vulnerability is associated with program files router/sms/sms.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-49492
(7.4 HIGH)

EPSS: 0.04%

updated 2025-07-01T12:31:05

1 posts

Out-of-bounds write in ASR180x in lte-telephony, May cause a buffer underrun.  This vulnerability is associated with program files apps/atcmd_server/src/dev_api.C. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-49480
(7.4 HIGH)

EPSS: 0.04%

updated 2025-07-01T12:31:05

1 posts

Out-of-bounds access in ASR180x 、ASR190x in lte-telephony, This vulnerability is associated with program files apps/lzma/src/LzmaEnc.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-49481
(5.4 MEDIUM)

EPSS: 0.04%

updated 2025-07-01T12:31:05

1 posts

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router modules allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pbwork-queue.C. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-5072
(5.4 MEDIUM)

EPSS: 0.04%

updated 2025-07-01T09:30:40

1 posts

Resource leak vulnerability in ASR180x、ASR190x in con_mgr allows Resource Leak Exposure.This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

cR0w@infosec.exchange at 2025-07-01T12:26:43.000Z ##

Ten CVEs in various ASR gear. They're all rated sev:HIGH by ASR, though the CVSS scores are eight sev:MED and two sev:HIGH.

asrmicro.com/en/goods/psirt?ci

CVE-2025-5072
CVE-2025-49489
CVE-2025-49490
CVE-2025-49491
CVE-2025-49492
CVE-2025-49488
CVE-2025-49480
CVE-2025-49481
CVE-2025-49482
CVE-2025-49483

##

CVE-2025-41656
(10.0 CRITICAL)

EPSS: 0.16%

updated 2025-07-01T09:30:40

1 posts

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.

cR0w@infosec.exchange at 2025-07-01T12:20:18.000Z ##

July is starting off with a perfect 10 in some OT kit. 🥳

certvde.com/en/advisories/VDE-

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.

nvd.nist.gov/vuln/detail/CVE-2

certvde.com/en/advisories/VDE-

sev:CRIT 9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-41648
(9.8 CRITICAL)

EPSS: 0.08%

updated 2025-07-01T09:30:40

1 posts

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI.

cR0w@infosec.exchange at 2025-07-01T12:20:18.000Z ##

July is starting off with a perfect 10 in some OT kit. 🥳

certvde.com/en/advisories/VDE-

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.

nvd.nist.gov/vuln/detail/CVE-2

certvde.com/en/advisories/VDE-

sev:CRIT 9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-49521
(8.8 HIGH)

EPSS: 0.09%

updated 2025-07-01T03:31:37

1 posts

A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.

cR0w@infosec.exchange at 2025-06-30T21:42:52.000Z ##

Post-auth sev:HIGH code injection and argument injection vulns in Ansible Automation Platform.

A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.

bugzilla.redhat.com/show_bug.c

nvd.nist.gov/vuln/detail/CVE-2

A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.

bugzilla.redhat.com/show_bug.c

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-49520
(8.8 HIGH)

EPSS: 0.09%

updated 2025-07-01T03:31:36

1 posts

A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.

cR0w@infosec.exchange at 2025-06-30T21:42:52.000Z ##

Post-auth sev:HIGH code injection and argument injection vulns in Ansible Automation Platform.

A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.

bugzilla.redhat.com/show_bug.c

nvd.nist.gov/vuln/detail/CVE-2

A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.

bugzilla.redhat.com/show_bug.c

nvd.nist.gov/vuln/detail/CVE-2

##

nyanbinary at 2025-07-07T15:11:13.188Z ##

Yo, CVE-2025-32462 is fucking wild...

##

siderolabs@hachyderm.io at 2025-07-07T08:01:26.000Z ##

⚠️ New Critical Linux CVE ⚠️

Unless you’re using Talos Linux.

In which case, you're fully secure. Carry on, and let your minimal, immutable OS keep you safe from CVE-2025-32463 and CVE-2025-32462.

#CVE2025 #Linux #Kubernetes #CyberSecurity

##

adulau@infosec.exchange at 2025-07-04T16:04:38.000Z ##

Who is right with this sudo vulnerability? The CVSS reported or the VLAI severity model?

#sudo #vulnerability #vulnerabilitymanagement #threatintel

🔗 vulnerability.circl.lu/vuln/CV

##

benzogaga33@mamot.fr at 2025-07-04T15:40:03.000Z ##

Linux – Obtenez un accès root avec ces deux failles dans sudo : CVE-2025-32462 et CVE-2025-32463 it-connect.fr/linux-acces-root #ActuCybersécurité #Vulnérabilités #Cybersécurité #Linux

##

_r_netsec@infosec.exchange at 2025-07-04T08:43:05.000Z ##

CVE-2025-32462: sudo: LPE via host option access.redhat.com/security/cve

##

jos1264@social.skynetcloud.site at 2025-07-02T17:45:03.000Z ##

CVE-2025-32463 and CVE-2025-32462: Sudo Local Privilege Escalation Vulnerabilities Threaten Linux Environments – Source: socprime.com ciso2ciso.com/cve-2025-32463-a #rssfeedpostgeneratorecho #PrivilageEscalation #CyberSecurityNews #CVE-2025-32462 #CVE-2025-32463 #Latestthreats #Vulnerability #socprimecom #socprime #Blog #CVE

##

finn@surfin.dog at 2025-07-02T14:49:26.000Z ##

update sudo yall nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-01T15:14:21.000Z ##

I think I boosted information about these sudo EoP vulns yesterday but in case I didn't, here's some basic info on them.

stratascale.com/vulnerability-

sev:LOW 2.8 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

nvd.nist.gov/vuln/detail/CVE-2

stratascale.com/vulnerability-

sev:CRIT 9.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

nvd.nist.gov/vuln/detail/CVE-2

##

Ubuntu@activitypub.awakari.com at 2025-07-01T12:58:55.000Z ## Sudo local privilege escalation vulnerabilities fixed (CVE-2025-32462, CVE-2025-32463) If you haven’t recently updated the Sudo utility on your Linux box(es), you should do so now, to patch two l...

#Don't #miss #Hot #stuff #News #Debian #Linux #macOS #Stratascale #SUSE #Ubuntu

Origin | Interest | Match ##

jos1264@social.skynetcloud.site at 2025-07-01T13:55:02.000Z ##

Sudo local privilege escalation vulnerabilities fixed (CVE-2025-32462, CVE-2025-32463) helpnetsecurity.com/2025/07/01 #vulnerability #Stratascale #Don'tmiss #Hotstuff #Debian #Ubuntu #Linux #macOS #News #SUSE

##

CVE-2025-6019
(7.0 None)

EPSS: 0.02%

updated 2025-06-30T03:31:34

1 posts

A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-pr

4 repos

https://github.com/dreysanox/CVE-2025-6019_Poc

https://github.com/And-oss/CVE-2025-6019-exploit

https://github.com/neko205-mx/CVE-2025-6019_Exploit

https://github.com/guinea-offensive-security/CVE-2025-6019

undercodenews@mastodon.social at 2025-07-07T07:08:47.000Z ##

Critical Linux Vulnerability CVE-2025-6019 Lets Users Gain Root Access via udisksd Flaw

Alarming Privilege Escalation Threat Found in Popular Linux Distros A newly discovered Linux vulnerability, tracked as CVE-2025-6019, has raised major concerns among cybersecurity professionals. Found in June 2025, this flaw exposes a serious local privilege escalation (LPE) risk affecting widely used Linux distributions including Fedora and SUSE. The vulnerability lies within the…

undercodenews.com/critical-lin

##

CVE-2024-54085
(9.8 CRITICAL)

EPSS: 9.47%

updated 2025-06-27T12:32:19

1 posts

AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

1 repos

https://github.com/Mr-Zapi/CVE-2024-54085

benzogaga33@mamot.fr at 2025-07-02T15:40:02.000Z ##

Cette faille critique dans MegaRAC menace des milliers de serveurs, y compris ceux éteints ! it-connect.fr/faille-ami-megar #ActuCybersécurité #Cybersécurité #Vulnérabilité

##

CVE-2025-49132
(10.0 CRITICAL)

EPSS: 23.69%

updated 2025-06-23T20:16:21.633000

1 posts

Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract s

Nuclei template

6 repos

https://github.com/nfoltc/CVE-2025-49132

https://github.com/uxieltc/CVE-2025-49132

https://github.com/63square/CVE-2025-49132

https://github.com/Zen-kun04/CVE-2025-49132

https://github.com/qiaojojo/CVE-2025-49132_poc

https://github.com/melonlonmeo/CVE-2025-49132

cR0w@infosec.exchange at 2025-06-30T21:50:38.000Z ##

FYI: There is a ton of scanning for this one for some reason.

/locales/locale.json?locale=../../../pterodactyl&namespace=config/database

/locales/locale.json?locale=../../config/&namespace=database

github.com/Zen-kun04/CVE-2025-

##

CVE-2024-12086
(6.1 MEDIUM)

EPSS: 0.16%

updated 2025-06-20T21:32:01

1 posts

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed che

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-12087
(6.5 MEDIUM)

EPSS: 0.66%

updated 2025-06-20T18:28:57.620000

1 posts

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-12088
(6.5 MEDIUM)

EPSS: 0.52%

updated 2025-06-18T16:29:29.573000

1 posts

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

undercodenews@mastodon.social at 2025-07-07T23:18:14.000Z ##

CitrixBleed2: Critical Citrix Vulnerability Raises Red Flags as Exploits Go Public

A Dangerous Déjà Vu for Citrix NetScaler Devices A new vulnerability dubbed CitrixBleed2 (CVE-2025-5777) has surfaced, and The vulnerability allows attackers to extract memory contents and steal session tokens using nothing more than malformed login requests. Researchers warn that while Citrix insists there is "no current evidence" of active exploitation, multiple cybersecurity firms and…

undercodenews.com/citrixbleed2

##

oversecurity@mastodon.social at 2025-07-07T23:10:11.000Z ##

Public exploits released for CitrixBleed 2 NetScaler flaw, patch now

Researchers have released proof-of-concept (PoC) exploits for a critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed...

🔗️ [Bleepingcomputer] link.is.it/UNCVV1

##

GossiTheDog@cyberplace.social at 2025-07-07T22:33:32.000Z ##

Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first.

64.176.50.109
139.162.47.194
38.154.237.100
38.180.148.215
102.129.235.108
121.237.80.241
45.135.232.2

HT @ntkramer and the folks at @greynoise

Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: viz.greynoise.io/tags/citrixbl

##

ntkramer at 2025-07-07T21:56:30.771Z ##

🥜 & - Thanks to Horizon3, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling. Currently, we see 233 hits starting on July 1 from:
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2

Follow along here: viz.greynoise.io/tags/citrixbl

##

GossiTheDog@cyberplace.social at 2025-07-07T17:02:49.000Z ##

Horizon3 have a good write up here, I don't think they were aware this is already being exploited for almost a month: horizon3.ai/attack-research/at

Worth noting I was only able to find exploitation activity due to the WatchTowr and Horizon3 write ups - Citrix support wouldn't disclose any IOCs and incorrectly claimed (again - happened with CitrixBleed) that no exploitation in the wild. Citrix have gotta get better at this, they're harming customers.

##

GossiTheDog@cyberplace.social at 2025-07-07T16:53:31.000Z ##

CVE-2025-5777 (Citrix Netscaler vuln) has been under active exploitation since mid June, with people dumping memory and using this to try to access sessions.

TTPs to hunt for:

- In Netscaler logs, repeated POST requests to *doAuthentication* - each one yields 126 bytes of RAM

- In Netscaler logs, requests to doAuthentication.do with "Content-Length: 5"

- In Netscaler user logs, lines with *LOGOFF* and user = "*#*" (i.e. # symbol in the username). RAM is played into the wrong field.

##

AAKL at 2025-07-07T16:29:51.015Z ##

Picus: ​​CVE-2025-5777: Citrix Bleed 2 Memory Leak Vulnerability Explained picussecurity.com/resource/blo

##

cert_fr@social.numerique.gouv.fr at 2025-07-07T15:23:17.000Z ##

⚠️ Alerte CERT-FR ⚠️
Mise à jour de l'alerte CERTFR-2025-ALE-009 : La vulnérabilité CVE-2025-5777 permet à un attaquant non authentifié de faire fuiter des crédentiels Citrix NetScaler.
Un PoC est disponible et elle est activement exploitée.
cert.ssi.gouv.fr/alerte/CERTFR

##

undercodenews@mastodon.social at 2025-07-07T13:50:28.000Z ##

CitrixBleed 2: A New Wave of Critical Exploits Hits NetScaler Devices

A Growing Concern for Enterprise Security A newly disclosed vulnerability known as CitrixBleed 2, officially tracked as CVE-2025-5777, is triggering alarm bells across the cybersecurity landscape. Affecting Citrix NetScaler ADC and Gateway appliances, this flaw has a CVSS score of 9.3, underscoring its critical severity. What makes CitrixBleed 2 particularly dangerous is its ability to bypass…

undercodenews.com/citrixbleed-

##

_r_netsec at 2025-07-07T13:43:06.032Z ##

CVE-2025-5777, aka CitrixBleed 2, Deep-Dive and Indicators of Compromise horizon3.ai/attack-research/at

##

gwire@mastodon.social at 2025-07-07T12:35:37.000Z ##

When the number of vulnerable IPs ticks up by a small number, I'm assuming they're honeypots?

(Graph is vulnerable Citrix NetScaler endpoints in the UK.)

dashboard.shadowserver.org/sta

##

GossiTheDog@cyberplace.social at 2025-07-07T12:04:44.000Z ##

CVE-2025-5777 is under active exploitation, since before the WatchTowr blog.

##

oversecurity@mastodon.social at 2025-07-07T23:10:11.000Z ##

Public exploits released for CitrixBleed 2 NetScaler flaw, patch now

Researchers have released proof-of-concept (PoC) exploits for a critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed...

🔗️ [Bleepingcomputer] link.is.it/UNCVV1

##

GossiTheDog@cyberplace.social at 2025-07-07T22:33:32.000Z ##

Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first.

64.176.50.109
139.162.47.194
38.154.237.100
38.180.148.215
102.129.235.108
121.237.80.241
45.135.232.2

HT @ntkramer and the folks at @greynoise

Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: viz.greynoise.io/tags/citrixbl

##

ntkramer@infosec.exchange at 2025-07-07T21:56:30.000Z ##

🥜 & #threatintel - Thanks to Horizon3, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling. Currently, we see 233 hits starting on July 1 from:
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2

Follow along here: viz.greynoise.io/tags/citrixbl

##

GossiTheDog@cyberplace.social at 2025-07-07T17:02:49.000Z ##

Horizon3 have a good write up here, I don't think they were aware this is already being exploited for almost a month: horizon3.ai/attack-research/at

Worth noting I was only able to find exploitation activity due to the WatchTowr and Horizon3 write ups - Citrix support wouldn't disclose any IOCs and incorrectly claimed (again - happened with CitrixBleed) that no exploitation in the wild. Citrix have gotta get better at this, they're harming customers.

##

GossiTheDog@cyberplace.social at 2025-07-07T16:53:31.000Z ##

CVE-2025-5777 (Citrix Netscaler vuln) has been under active exploitation since mid June, with people dumping memory and using this to try to access sessions.

TTPs to hunt for:

- In Netscaler logs, repeated POST requests to *doAuthentication* - each one yields 126 bytes of RAM

- In Netscaler logs, requests to doAuthentication.do with "Content-Length: 5"

- In Netscaler user logs, lines with *LOGOFF* and user = "*#*" (i.e. # symbol in the username). RAM is played into the wrong field.

##

AAKL@infosec.exchange at 2025-07-07T16:29:51.000Z ##

Picus: ​​CVE-2025-5777: Citrix Bleed 2 Memory Leak Vulnerability Explained picussecurity.com/resource/blo #Citrix #cybersecurity #Infosec

##

cert_fr@social.numerique.gouv.fr at 2025-07-07T15:23:17.000Z ##

⚠️ Alerte CERT-FR ⚠️
Mise à jour de l'alerte CERTFR-2025-ALE-009 : La vulnérabilité CVE-2025-5777 permet à un attaquant non authentifié de faire fuiter des crédentiels Citrix NetScaler.
Un PoC est disponible et elle est activement exploitée.
cert.ssi.gouv.fr/alerte/CERTFR

##

_r_netsec@infosec.exchange at 2025-07-07T13:43:06.000Z ##

CVE-2025-5777, aka CitrixBleed 2, Deep-Dive and Indicators of Compromise horizon3.ai/attack-research/at

##

GossiTheDog@cyberplace.social at 2025-07-07T12:04:44.000Z ##

CVE-2025-5777 is under active exploitation, since before the WatchTowr blog.

##

LLMs@activitypub.awakari.com at 2025-07-04T19:13:56.000Z ## How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) Before you dive into our latest diatribe, indulge us and join us on a journey. Sit in your chair, sta...


Origin | Interest | Match ##

GossiTheDog@cyberplace.social at 2025-07-05T18:54:14.000Z ##

Updated scan results for CVE-2025-5777: github.com/GossiTheDog/scannin

It's still partial due to bugs, but about 18k servers.

##

AAKL@infosec.exchange at 2025-07-05T16:50:05.000Z ##

Posted yesterday.

WatchTower: How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) labs.watchtowr.com/how-much-mo @watchtower #Citrix #cybersecurity #infosec

##

jos1264@social.skynetcloud.site at 2025-07-05T03:01:17.000Z ##

CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2” in NetScaler ADC Faces Exploitation Risk – Source: socprime.com ciso2ciso.com/cve-2025-5777-de #rssfeedpostgeneratorecho #CyberSecurityNews #CVE-2025-5777 #Latestthreats #Vulnerability #CitrixBleed2 #socprimecom #socprime #Blog #CVE

##

GossiTheDog@cyberplace.social at 2025-07-04T21:08:45.000Z ##

First exploitation details for CVE-2025-5777 - the Netscaler vuln - are out. labs.watchtowr.com/how-much-mo

If you call the login page, it leaks memory in the response 🤣

I don’t want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, there’s a way to reestablish existing ICA sessions from the leaked memory.

##

nopatience@swecyb.com at 2025-07-04T20:49:55.000Z ##

labs.watchtowr.com/how-much-mo

Have not read this yet, but I'm going to assume it's good... and entertaining.

@GossiTheDog This is what you were talking about right? 🙂

#Threatintel #Cybersecurity #Infosec

##

_r_netsec@infosec.exchange at 2025-07-04T19:28:06.000Z ##

How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) - watchTowr Labs labs.watchtowr.com/how-much-mo

##

soc_prime@infosec.exchange at 2025-07-04T14:30:36.000Z ##

Heads up—CitrixBleed 2 reopens old wounds! CVE-2025-5777 puts NetScaler ADC at high risk, enabling user session hijacks & auth bypass. Detect potential exploitation attempts with the latest Sigma rule from SOC Prime Platform.

socprime.com/blog/detect-cve-2

##

GossiTheDog@cyberplace.social at 2025-07-04T10:38:44.000Z ##

I've published my scan in progress of CVE-2025-5777 patching status, listing IPs, hostnames, Citrix Netscaler build numbers and if they're vulnerable to CitrixBleed2.

The scan isn't finished yet so these are only about a quarter of the results - unfortunately my coding skills are shite and it's really slow - should be finished over weekend or early next week.

Also, the SSL certificate hostnames are separated by comma which throws out CSV - sorry, I'll fix that later.

github.com/GossiTheDog/scannin

##

GossiTheDog@cyberplace.social at 2025-07-04T10:20:08.000Z ##

Further suggestions CVE-2025-5777 details will release next week. xcancel.com/Horizon3Attack/sta via horizon3.ai

##

GossiTheDog@cyberplace.social at 2025-07-04T08:27:04.000Z ##

I expect technical details of CVE-2025-5777 exploitation to become available next week.

##

GossiTheDog@cyberplace.social at 2025-07-01T09:42:59.000Z ##

If you see this GitHub PoC for CVE-2025-5777 doing the rounds:

github.com/mingshenhk/CitrixBl

It’s not for CVE-2025-5777. It’s AI generated. The links in the README still have ChatGPT UTM sources.

The PoC itself is for a vuln addressed in 2023 - ChatGPT has hallucinated (made up) the cause of the vuln using an old BishopFox write up of the other vuln.

##

GossiTheDog@cyberplace.social at 2025-07-01T09:36:40.000Z ##

Citrix blog on CVE-2025-5777 and some other ones netscaler.com/blog/news/netsca

##

CVE-2024-52533
(9.8 CRITICAL)

EPSS: 0.72%

updated 2025-06-17T01:23:56.150000

1 posts

gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-49596
(0 None)

EPSS: 0.52%

updated 2025-06-16T12:32:18.840000

2 posts

The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.

1 repos

https://github.com/ashiqrehan-21/MCP-Inspector-CVE-2025-49596

beyondmachines1@infosec.exchange at 2025-07-02T09:01:22.000Z ##

Critical remote code execution flaw reported in Anthropic's MCP Inspector tool

Cybersecurity researchers disclosed a critical vulnerability (CVE-2025-49596, CVSS 9.4) in Anthropic's Model Context Protocol (MCP) Inspector debugging tool that allows remote code execution on developer machines through browser-based attacks exploiting the "0.0.0.0 Day" vulnerability and lack of authentication in default configurations. Attackers can compromise developer systems by tricking them into visiting malicious websites that send unauthorized commands to locally running MCP Inspector instances.

**If you're using Anthropic's MCP Inspector for AI development upgrade to version 0.14.1 or later. There is a fairly trivial exploit of your MCP Inspector tool that only requires you to visit a malicious site for your laptop to be fully compromised. So don't ignore this, update your MCP Inspector.**
#cybersecurity #infosec #advisory #vulnerability
beyondmachines.net/event_detai

##

_r_netsec@infosec.exchange at 2025-07-02T00:28:05.000Z ##

Critical RCE in Anthropic MCP Inspector (CVE-2025-49596) Enables Browser-Based Exploits | Oligo Security oligo.security/blog/critical-r

##

CVE-2025-22157
(8.8 HIGH)

EPSS: 0.05%

updated 2025-06-12T18:31:14

1 posts

This High severity PrivEsc (Privilege Escalation) vulnerability was introduced in versions: 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core Data Center and Server 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server This PrivEsc (Privilege Escalation) vulnerability, with a CVSS Score of 7.2, allows an attacker to perform actions as a higher-privileged user. Atl

DarkWebInformer@infosec.exchange at 2025-07-02T00:06:31.000Z ##

🚨CVE-2025-22157: Privilege Escalation Vulnerability in Jira Core Data Center

darkwebinformer.com/cve-2025-2

——————

Follow @zoomeye_team's official Twitter/X account and send the message “Dark Web Informer” via DM to receive an extra 15-day membership.

##

CVE-2025-32711
(9.3 CRITICAL)

EPSS: 0.10%

updated 2025-06-11T15:30:38

2 posts

Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

1 repos

https://github.com/daryllundy/cve-2025-32711

avuko at 2025-07-07T11:31:28.511Z ##

I do not consent to be used by, used for, or interact in any way with AI.

Reason number 163.327.205:

msrc.microsoft.com/update-guid

##

avuko@infosec.exchange at 2025-07-07T11:31:28.000Z ##

I do not consent to be used by, used for, or interact in any way with AI.

Reason number 163.327.205:

msrc.microsoft.com/update-guid

#CVE202532711 #infosec #CVE #AI #LLM #enshittification

##

CVE-2025-47176
(7.8 HIGH)

EPSS: 0.06%

updated 2025-06-10T21:32:26

1 posts

'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.

CVE-2025-33073
(8.8 HIGH)

EPSS: 0.39%

updated 2025-06-10T18:32:36

1 posts

Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.

2 repos

https://github.com/mverschu/CVE-2025-33073

https://github.com/obscura-cert/CVE-2025-33073

kpwn@infosec.exchange at 2025-07-03T13:09:02.000Z ##

Rank 3: CVE-2025-33073
Product: Microsoft Windows
CVSS: High (8.8)

A privilege-escalation vulnerability in Microsoft Windows Kerberos authentication over SMB allows a low-privileged attacker to coerce a Windows host into authenticating to their system and then relay its computer account's Kerberos ticket back to itself, resulting in NT AUTHORITY\SYSTEM access.

Post by @RedTeamPentesting:
mastodon.social/@RedTeamPentes

##

CVE-2024-6119
(7.5 HIGH)

EPSS: 0.67%

updated 2025-06-03T12:31:37

1 posts

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certifi

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-12133
(5.3 MEDIUM)

EPSS: 0.22%

updated 2025-06-02T15:32:27

1 posts

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-12747
(5.6 MEDIUM)

EPSS: 0.01%

updated 2025-06-02T15:31:21

1 posts

A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-8176
(7.5 HIGH)

EPSS: 0.36%

updated 2025-06-02T15:31:21

1 posts

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depen

1 repos

https://github.com/uthrasri/Expat_2.6.2_CVE-2024-8176

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-48927
(5.3 MEDIUM)

EPSS: 11.15%

updated 2025-05-28T18:33:28

3 posts

The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025.

beyondmachines1@infosec.exchange at 2025-07-04T09:01:18.000Z ##

CISA warns of active attacks on Signal clone TeleMessage

CISA has issued a warning about two actively exploited vulnerabilities in TeleMessage TM SGNL, a Signal clone used by national security staffers and government officials, including a Spring Boot Actuator misconfiguration (CVE-2025-48927) that exposes memory dumps and a local access vulnerability (CVE-2025-48928) enabling password extraction.

**If you're using TeleMessage TM SGNL, start patching it today, because it's being actively exploited. Alternatively, stop using the software entirely. Switch back to standard Signal or another approved properly encrypted messaging app since TM SGNL has already been breached and continues to be attacked.**
#cybersecurity #infosec #attack #activeattack
beyondmachines.net/event_detai

##

AAKL@infosec.exchange at 2025-07-01T19:28:38.000Z ##

CISA has added to the KEV catalogue:

- CVE-2025-48927: TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability cve.org/CVERecord?id=CVE-2025-

- CVE-2025-48928: TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability cve.org/CVERecord?id=CVE-2025-

From yesterday:

- CVE-2025-6543: Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2025- #CISA #cybersecurity #infosec

##

cisakevtracker@mastodon.social at 2025-07-01T18:01:08.000Z ##

CVE ID: CVE-2025-48927
Vendor: TeleMessage
Product: TM SGNL
Date Added: 2025-07-01
Notes: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue use of the product. ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-26466
(5.9 MEDIUM)

EPSS: 46.59%

updated 2025-05-27T18:30:48

1 posts

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become

3 repos

https://github.com/mrowkoob/CVE-2025-26466-msf

https://github.com/rxerium/CVE-2025-26466

https://github.com/dolutech/patch-manual-CVE-2025-26465-e-CVE-2025-26466

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2023-27043
(5.3 MEDIUM)

EPSS: 0.11%

updated 2025-05-19T12:38:20.773000

1 posts

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addr

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-50602
(5.9 MEDIUM)

EPSS: 0.04%

updated 2025-04-30T20:15:20.730000

1 posts

An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-10918
(4.8 MEDIUM)

EPSS: 0.10%

updated 2025-04-29T18:31:51

1 posts

Stack-based Buffer Overflow vulnerability in libmodbus v3.1.10 allows to overflow the buffer allocated for the Modbus response if the function tries to reply to a Modbus request with an unexpected length.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-9287
(7.8 HIGH)

EPSS: 0.04%

updated 2025-04-25T23:15:16.573000

1 posts

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-38428
(9.1 CRITICAL)

EPSS: 0.27%

updated 2025-04-21T12:30:24

1 posts

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2014-3931
(9.8 CRITICAL)

EPSS: 1.67%

updated 2025-04-20T03:36:04

7 posts

fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 allows remote attackers to cause an arbitrary memory write and memory corruption.

AAKL at 2025-07-07T18:10:09.246Z ##

CISA has updated the KEV catalogue.

- CVE-2014-3931: Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2014-

- CVE-2016-10033: PHPMailer Command Injection Vulnerability cve.org/CVERecord?id=CVE-2016-

- CVE-2019-5418: Rails Ruby on Rails Path Traversal Vulnerability cve.org/CVERecord?id=CVE-2019-

- CVE-2019-9621: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability cve.org/CVERecord?id=CVE-2019-

##

cR0w at 2025-07-07T18:03:41.105Z ##

Four old CVEs added to the CISA KEV Catalog today:
CVE-2014-3931
CVE-2016-10033
CVE-2019-5418
CVE-2019-9621

##

cisakevtracker@mastodon.social at 2025-07-07T18:01:58.000Z ##

CVE ID: CVE-2014-3931
Vendor: Looking Glass
Product: Multi-Router Looking Glass (MRLG)
Date Added: 2025-07-07
Notes: mrlg.op-sec.us/ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

undercodenews@mastodon.social at 2025-07-07T17:44:53.000Z ##

Critical Vulnerability Exposed: Memory Corruption in MRLG Fastpingc (CVE-2014-3931)

🚨 Introduction: Why This CVE Matters In the rapidly evolving world of network security, even small software vulnerabilities can open doors for devastating cyberattacks. One such threat lies within the widely-used Multi-Router Looking Glass (MRLG) tool. This tool enables remote network diagnostics by querying routers via ping and traceroute. However, a flaw discovered in an older version…

undercodenews.com/critical-vul

##

AAKL@infosec.exchange at 2025-07-07T18:10:09.000Z ##

CISA has updated the KEV catalogue.

- CVE-2014-3931: Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2014-

- CVE-2016-10033: PHPMailer Command Injection Vulnerability cve.org/CVERecord?id=CVE-2016-

- CVE-2019-5418: Rails Ruby on Rails Path Traversal Vulnerability cve.org/CVERecord?id=CVE-2019-

- CVE-2019-9621: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability cve.org/CVERecord?id=CVE-2019- #CISA #cybersecurity #infosec

##

cR0w@infosec.exchange at 2025-07-07T18:03:41.000Z ##

Four old CVEs added to the CISA KEV Catalog today:
CVE-2014-3931
CVE-2016-10033
CVE-2019-5418
CVE-2019-9621

##

cisakevtracker@mastodon.social at 2025-07-07T18:01:58.000Z ##

CVE ID: CVE-2014-3931
Vendor: Looking Glass
Product: Multi-Router Looking Glass (MRLG)
Date Added: 2025-07-07
Notes: mrlg.op-sec.us/ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2015-7697(CVSS UNKNOWN)

EPSS: 30.28%

updated 2025-04-12T12:54:49

1 posts

Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-24813
(9.8 CRITICAL)

EPSS: 93.98%

updated 2025-04-03T13:23:54

2 posts

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able t

Nuclei template

38 repos

https://github.com/mbanyamer/Apache-Tomcat---Remote-Code-Execution-via-Session-Deserialization-CVE-2025-24813-

https://github.com/hakankarabacak/CVE-2025-24813

https://github.com/B1gN0Se/Tomcat-CVE-2025-24813

https://github.com/Erosion2020/CVE-2025-24813-vulhub

https://github.com/beyond-devsecops/CVE-2025-24813

https://github.com/manjula-aw/CVE-2025-24813

https://github.com/La3B0z/CVE-2025-24813-POC

https://github.com/msadeghkarimi/CVE-2025-24813-Exploit

https://github.com/MuhammadWaseem29/CVE-2025-24813

https://github.com/N0c1or/CVE-2025-24813_POC

https://github.com/GadaLuBau1337/CVE-2025-24813

https://github.com/n0n-zer0/Spring-Boot-Tomcat-CVE-2025-24813

https://github.com/Heimd411/CVE-2025-24813-noPoC

https://github.com/FY036/cve-2025-24813_poc

https://github.com/absholi7ly/POC-CVE-2025-24813

https://github.com/iSee857/CVE-2025-24813-PoC

https://github.com/AlperenY-cs/CVE-2025-24813

https://github.com/maliqto/PoC-CVE-2025-24813

https://github.com/Alaatk/CVE-2025-24813-POC

https://github.com/ps-interactive/lab-cve-2025-24813

https://github.com/charis3306/CVE-2025-24813

https://github.com/gregk4sec/CVE-2025-24813

https://github.com/Franconyu/Poc_for_CVE-2025-24813

https://github.com/horsehacks/CVE-2025-24813-checker

https://github.com/u238/Tomcat-CVE_2025_24813

https://github.com/issamjr/CVE-2025-24813-Scanner

https://github.com/Mattb709/CVE-2025-24813-Scanner

https://github.com/f8l124/CVE-2025-24813-POC

https://github.com/fatkz/CVE-2025-24813

https://github.com/GongWook/CVE-2025-24813

https://github.com/michael-david-fry/Apache-Tomcat-Vulnerability-POC-CVE-2025-24813

https://github.com/yaleman/cve-2025-24813-poc

https://github.com/Eduardo-hardvester/CVE-2025-24813

https://github.com/tonyarris/CVE-2025-24813-PoC

https://github.com/Mattb709/CVE-2025-24813-PoC-Apache-Tomcat-RCE

https://github.com/AsaL1n/CVE-2025-24813

https://github.com/x1ongsec/CVE-2025-24813

https://github.com/imbas007/CVE-2025-24813-apache-tomcat

cR0w@infosec.exchange at 2025-07-03T12:48:29.000Z ##

Unit42 has a good write-up on some ITW Tomcat and Camel shenanigans exploiting CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891. IOCs in the post.

But does anyone know if this is a typo by the article or if there are actual files with the .sesson extension? Seems like a good indicator to search on if it's not a typo.

As noted in our earlier analysis, exploits for CVE-2025-24813 use a name appended by .sesson in the initial HTTP request. This .session file contains the code the vulnerable host will run if an exploit is successful.

Edit: Confirmed typo per this response: infosec.exchange/@0xThiebaut/1

unit42.paloaltonetworks.com/ap

#threatIntel

##

LCSC_IE@infosec.exchange at 2025-07-03T11:49:00.000Z ##

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟑 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Microsoft to Lay Off 9,000 Employees, Affecting 4% of Workforce

reuters.com/business/world-at-

2. Hunters International Ransomware Shuts Down, Offers Free Decryptors to Victims

cyberinsider.com/hunters-inter

3. UK charity bank branded a 'disaster' after platform migration goes wrong

theregister.com/2025/07/03/uk_

4. Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign

ukfinance.org.uk/news-and-insi

5. Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

netcraft.com/blog/large-langua

6. Russia’s Cyber Warriors Assail NATO-Linked Private Companies

cepa.org/article/russias-cyber

7. US probes negotiator suspected of taking crypto ransomware money

cointelegraph.com/news/digital

8. Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen

iranwire.com/en/news/142915-cy

9. Spain arrests hackers who targeted politicians and journalists

policia.es/_es/comunicacion_pr

10. A third of organisations take more than 90 days to remediate threats

itsecurityguru.org/2025/07/02/

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Irish Eyecare software firm Ocuco investigating cyber-attack

thecurrency.news/articles/1946

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

unit42.paloaltonetworks.com/ap

2. Snake Keyloggers Exploit Java Tools to Bypass Security – Active IOCs

rewterz.com/threat-advisory/sn

3. Who are DragonForce Ransomware Group?

bridewell.com/insights/blogs/d

4. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

silentpush.com/blog/fake-marke

5. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

wiz.io/blog/exposed-jdwp-explo

6. Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools

arcticwolf.com/resources/blog/

7. North Korean APT Kimsuky aka Black Banshee – Active IOCs

rewterz.com/threat-advisory/no

8. DarkTortilla Malware – Active IOCs

rewterz.com/threat-advisory/da

---

𝐀𝐏𝐓 𝐈𝐎𝐂𝐬:

1. Lazarus: Source VT
yourdomainhost[.]store
api[.]yourdomainhost[.]store

2. Kimsuky: Source Validin
Accounts-mysticete[.]servepics[.]com
freedrive[.]servehttp[.]com
login-accounts[.]servehttp[.]com
myaccounts-profile[.]servehttp[.]com
mydocs[.]onthewifi[.]com
securedrive-mofa[.]servehttp[.]com
translate[.]onthewifi[.]com
undocs[.]ddns[.]net
undocs[.]myvnc[.]com
undocs[.]servehttp[.]com

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. Automating macOS Incident Response: DFIR-as-Code in Action Against AppleProcessHub

abstract.security/blog/automat

2. Using Staging Folders For Threat Hunting

knowyouradversary.ru/2025/07/1

3. PDFs: Portable documents, or perfect deliveries for phish?

blog.talosintelligence.com/pdf

4. EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

cymulate.com/blog/cve-2025-531

5. Yet another ZIP trick

hackarcana.com/article/yet-ano

6. Malware development trick 48: leveraging Office macros for malware. Simple VBA example.

cocomelonc.github.io/malware/2

7. Hijacked by a Text: Understanding and Preventing SIM Swapping Attack

bitsight.com/blog/what-is-sim-

8. CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

crowdstrike.com/en-us/blog/cro

9. DanaBot Lab Analysis

omer-secure.medium.com/danabot

10. ClickFix Campaign: How Clipboard Injection Leads to RAT Infection (Part 1)

h3xstone.medium.com/clickfix-c

11. Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules

any.run/cybersecurity-blog/rel

12. Inside Android Malware Development: Building a C2 Exfiltrator from the UI to the Network

medium.com/@lord_murak/inside-

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. Pro-Russian hacktivism: Shifting alliances, new groups and risks

intel471.com/blog/pro-russian-

2. Insider Risk Lessons from the DPRK IT Worker Crackdown

dtexsystems.com/blog/insider-r

3. Calling Out Russia: France’s Shift on Public Attribution

warontherocks.com/2025/07/call

4. Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

reco.ai/blog/coinbase-breach

---

##

CVE-2025-27636(CVSS UNKNOWN)

EPSS: 43.34%

updated 2025-03-25T18:38:11

2 posts

Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.9.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter

2 repos

https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC

https://github.com/enochgitgamefied/CVE-2025-27636-Practical-Lab

cR0w@infosec.exchange at 2025-07-03T12:48:29.000Z ##

Unit42 has a good write-up on some ITW Tomcat and Camel shenanigans exploiting CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891. IOCs in the post.

But does anyone know if this is a typo by the article or if there are actual files with the .sesson extension? Seems like a good indicator to search on if it's not a typo.

As noted in our earlier analysis, exploits for CVE-2025-24813 use a name appended by .sesson in the initial HTTP request. This .session file contains the code the vulnerable host will run if an exploit is successful.

Edit: Confirmed typo per this response: infosec.exchange/@0xThiebaut/1

unit42.paloaltonetworks.com/ap

#threatIntel

##

LCSC_IE@infosec.exchange at 2025-07-03T11:49:00.000Z ##

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟑 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Microsoft to Lay Off 9,000 Employees, Affecting 4% of Workforce

reuters.com/business/world-at-

2. Hunters International Ransomware Shuts Down, Offers Free Decryptors to Victims

cyberinsider.com/hunters-inter

3. UK charity bank branded a 'disaster' after platform migration goes wrong

theregister.com/2025/07/03/uk_

4. Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign

ukfinance.org.uk/news-and-insi

5. Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

netcraft.com/blog/large-langua

6. Russia’s Cyber Warriors Assail NATO-Linked Private Companies

cepa.org/article/russias-cyber

7. US probes negotiator suspected of taking crypto ransomware money

cointelegraph.com/news/digital

8. Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen

iranwire.com/en/news/142915-cy

9. Spain arrests hackers who targeted politicians and journalists

policia.es/_es/comunicacion_pr

10. A third of organisations take more than 90 days to remediate threats

itsecurityguru.org/2025/07/02/

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Irish Eyecare software firm Ocuco investigating cyber-attack

thecurrency.news/articles/1946

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

unit42.paloaltonetworks.com/ap

2. Snake Keyloggers Exploit Java Tools to Bypass Security – Active IOCs

rewterz.com/threat-advisory/sn

3. Who are DragonForce Ransomware Group?

bridewell.com/insights/blogs/d

4. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

silentpush.com/blog/fake-marke

5. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

wiz.io/blog/exposed-jdwp-explo

6. Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools

arcticwolf.com/resources/blog/

7. North Korean APT Kimsuky aka Black Banshee – Active IOCs

rewterz.com/threat-advisory/no

8. DarkTortilla Malware – Active IOCs

rewterz.com/threat-advisory/da

---

𝐀𝐏𝐓 𝐈𝐎𝐂𝐬:

1. Lazarus: Source VT
yourdomainhost[.]store
api[.]yourdomainhost[.]store

2. Kimsuky: Source Validin
Accounts-mysticete[.]servepics[.]com
freedrive[.]servehttp[.]com
login-accounts[.]servehttp[.]com
myaccounts-profile[.]servehttp[.]com
mydocs[.]onthewifi[.]com
securedrive-mofa[.]servehttp[.]com
translate[.]onthewifi[.]com
undocs[.]ddns[.]net
undocs[.]myvnc[.]com
undocs[.]servehttp[.]com

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. Automating macOS Incident Response: DFIR-as-Code in Action Against AppleProcessHub

abstract.security/blog/automat

2. Using Staging Folders For Threat Hunting

knowyouradversary.ru/2025/07/1

3. PDFs: Portable documents, or perfect deliveries for phish?

blog.talosintelligence.com/pdf

4. EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

cymulate.com/blog/cve-2025-531

5. Yet another ZIP trick

hackarcana.com/article/yet-ano

6. Malware development trick 48: leveraging Office macros for malware. Simple VBA example.

cocomelonc.github.io/malware/2

7. Hijacked by a Text: Understanding and Preventing SIM Swapping Attack

bitsight.com/blog/what-is-sim-

8. CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

crowdstrike.com/en-us/blog/cro

9. DanaBot Lab Analysis

omer-secure.medium.com/danabot

10. ClickFix Campaign: How Clipboard Injection Leads to RAT Infection (Part 1)

h3xstone.medium.com/clickfix-c

11. Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules

any.run/cybersecurity-blog/rel

12. Inside Android Malware Development: Building a C2 Exfiltrator from the UI to the Network

medium.com/@lord_murak/inside-

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. Pro-Russian hacktivism: Shifting alliances, new groups and risks

intel471.com/blog/pro-russian-

2. Insider Risk Lessons from the DPRK IT Worker Crackdown

dtexsystems.com/blog/insider-r

3. Calling Out Russia: France’s Shift on Public Attribution

warontherocks.com/2025/07/call

4. Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

reco.ai/blog/coinbase-breach

---

##

CVE-2024-10524
(6.5 MEDIUM)

EPSS: 0.48%

updated 2025-03-21T18:15:32.323000

1 posts

Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-12085
(7.5 HIGH)

EPSS: 1.18%

updated 2025-03-20T09:30:27

1 posts

A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-29891
(4.2 MEDIUM)

EPSS: 0.09%

updated 2025-03-19T15:44:53

2 posts

Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.9.0 before 4.10.2, from 4.0.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific

cR0w@infosec.exchange at 2025-07-03T12:48:29.000Z ##

Unit42 has a good write-up on some ITW Tomcat and Camel shenanigans exploiting CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891. IOCs in the post.

But does anyone know if this is a typo by the article or if there are actual files with the .sesson extension? Seems like a good indicator to search on if it's not a typo.

As noted in our earlier analysis, exploits for CVE-2025-24813 use a name appended by .sesson in the initial HTTP request. This .session file contains the code the vulnerable host will run if an exploit is successful.

Edit: Confirmed typo per this response: infosec.exchange/@0xThiebaut/1

unit42.paloaltonetworks.com/ap

#threatIntel

##

LCSC_IE@infosec.exchange at 2025-07-03T11:49:00.000Z ##

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟑 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Microsoft to Lay Off 9,000 Employees, Affecting 4% of Workforce

reuters.com/business/world-at-

2. Hunters International Ransomware Shuts Down, Offers Free Decryptors to Victims

cyberinsider.com/hunters-inter

3. UK charity bank branded a 'disaster' after platform migration goes wrong

theregister.com/2025/07/03/uk_

4. Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign

ukfinance.org.uk/news-and-insi

5. Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

netcraft.com/blog/large-langua

6. Russia’s Cyber Warriors Assail NATO-Linked Private Companies

cepa.org/article/russias-cyber

7. US probes negotiator suspected of taking crypto ransomware money

cointelegraph.com/news/digital

8. Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen

iranwire.com/en/news/142915-cy

9. Spain arrests hackers who targeted politicians and journalists

policia.es/_es/comunicacion_pr

10. A third of organisations take more than 90 days to remediate threats

itsecurityguru.org/2025/07/02/

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Irish Eyecare software firm Ocuco investigating cyber-attack

thecurrency.news/articles/1946

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

unit42.paloaltonetworks.com/ap

2. Snake Keyloggers Exploit Java Tools to Bypass Security – Active IOCs

rewterz.com/threat-advisory/sn

3. Who are DragonForce Ransomware Group?

bridewell.com/insights/blogs/d

4. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

silentpush.com/blog/fake-marke

5. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

wiz.io/blog/exposed-jdwp-explo

6. Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools

arcticwolf.com/resources/blog/

7. North Korean APT Kimsuky aka Black Banshee – Active IOCs

rewterz.com/threat-advisory/no

8. DarkTortilla Malware – Active IOCs

rewterz.com/threat-advisory/da

---

𝐀𝐏𝐓 𝐈𝐎𝐂𝐬:

1. Lazarus: Source VT
yourdomainhost[.]store
api[.]yourdomainhost[.]store

2. Kimsuky: Source Validin
Accounts-mysticete[.]servepics[.]com
freedrive[.]servehttp[.]com
login-accounts[.]servehttp[.]com
myaccounts-profile[.]servehttp[.]com
mydocs[.]onthewifi[.]com
securedrive-mofa[.]servehttp[.]com
translate[.]onthewifi[.]com
undocs[.]ddns[.]net
undocs[.]myvnc[.]com
undocs[.]servehttp[.]com

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. Automating macOS Incident Response: DFIR-as-Code in Action Against AppleProcessHub

abstract.security/blog/automat

2. Using Staging Folders For Threat Hunting

knowyouradversary.ru/2025/07/1

3. PDFs: Portable documents, or perfect deliveries for phish?

blog.talosintelligence.com/pdf

4. EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

cymulate.com/blog/cve-2025-531

5. Yet another ZIP trick

hackarcana.com/article/yet-ano

6. Malware development trick 48: leveraging Office macros for malware. Simple VBA example.

cocomelonc.github.io/malware/2

7. Hijacked by a Text: Understanding and Preventing SIM Swapping Attack

bitsight.com/blog/what-is-sim-

8. CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

crowdstrike.com/en-us/blog/cro

9. DanaBot Lab Analysis

omer-secure.medium.com/danabot

10. ClickFix Campaign: How Clipboard Injection Leads to RAT Infection (Part 1)

h3xstone.medium.com/clickfix-c

11. Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules

any.run/cybersecurity-blog/rel

12. Inside Android Malware Development: Building a C2 Exfiltrator from the UI to the Network

medium.com/@lord_murak/inside-

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. Pro-Russian hacktivism: Shifting alliances, new groups and risks

intel471.com/blog/pro-russian-

2. Insider Risk Lessons from the DPRK IT Worker Crackdown

dtexsystems.com/blog/insider-r

3. Calling Out Russia: France’s Shift on Public Attribution

warontherocks.com/2025/07/call

4. Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

reco.ai/blog/coinbase-breach

---

##

CVE-2025-0167
(3.4 LOW)

EPSS: 0.06%

updated 2025-03-07T03:32:33

1 posts

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-0665
(9.8 CRITICAL)

EPSS: 2.35%

updated 2025-03-07T03:32:33

1 posts

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-27113
(2.9 LOW)

EPSS: 0.07%

updated 2025-03-07T03:31:33

1 posts

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-1094
(8.1 HIGH)

EPSS: 83.63%

updated 2025-02-21T18:31:09

1 posts

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, i

5 repos

https://github.com/ishwardeepp/CVE-2025-1094-PoC-Postgre-SQLi

https://github.com/B1ack4sh/Blackash-CVE-2025-1094

https://github.com/shacojx/CVE-2025-1094-Exploit

https://github.com/soltanali0/CVE-2025-1094-Exploit

https://github.com/aninfosec/CVE-2025-1094

kpwn@infosec.exchange at 2025-07-03T13:10:01.000Z ##

Rank 1: CVE-2025-1094 "CitrixBleed 2"
Product: NetScaler ADC
CVSS: Critical (9.3)

A vulnerability in the input validation of NetScaler Application Delivery Controller (ADC) allows an unauthenticated remote attacker to read memory when configured as a Gateway or AAA virtual server. The memory may include sensitive information like session tokens.

Post by @GossiTheDog:
cyberplace.social/@GossiTheDog

##

CVE-2025-24965
(0 None)

EPSS: 0.10%

updated 2025-02-19T17:15:15.510000

1 posts

crun is an open source OCI Container Runtime fully written in C. In affected versions A malicious container image could trick the krun handler into escaping the root filesystem, allowing file creation or modification on the host. No special permissions are needed, only the ability for the current user to write to the target file. The problem is fixed in crun 1.20 and all users are advised to upgra

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-26465
(6.8 MEDIUM)

EPSS: 56.74%

updated 2025-02-19T15:33:13

1 posts

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory re

2 repos

https://github.com/rxerium/CVE-2025-26465

https://github.com/dolutech/patch-manual-CVE-2025-26465-e-CVE-2025-26466

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-12705
(7.5 HIGH)

EPSS: 0.13%

updated 2025-02-07T18:32:19

1 posts

Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-6232
(7.5 HIGH)

EPSS: 0.91%

updated 2025-01-31T21:32:45

1 posts

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-11053
(9.1 CRITICAL)

EPSS: 0.17%

updated 2025-01-31T15:31:47

1 posts

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-55591
(9.8 CRITICAL)

EPSS: 94.25%

updated 2025-01-23T02:00:02.310000

1 posts

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Nuclei template

10 repos

https://github.com/sysirq/fortios-auth-bypass-poc-CVE-2024-55591

https://github.com/binarywarm/exp-cmd-add-admin-vpn-CVE-2024-55591

https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591

https://github.com/rawtips/CVE-2024-55591

https://github.com/virus-or-not/CVE-2024-55591

https://github.com/watchtowrlabs/fortios-auth-bypass-check-CVE-2024-55591

https://github.com/exfil0/CVE-2024-55591-POC

https://github.com/UMChacker/CVE-2024-55591-POC

https://github.com/0x7556/CVE-2024-55591

https://github.com/sysirq/fortios-auth-bypass-exploit-CVE-2024-55591

DarkWebInformer@infosec.exchange at 2025-07-04T18:08:13.000Z ##

🚨Alleged Sale of Mass Exploit for FortiGate targeting CVE-2024-55591

##

CVE-2019-11932
(8.8 HIGH)

EPSS: 80.16%

updated 2025-01-13T15:21:41

1 posts

A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.

21 repos

https://github.com/kal1gh0st/WhatsAppHACK-RCE

https://github.com/infiniteLoopers/CVE-2019-11932

https://github.com/dorkerdevil/CVE-2019-11932

https://github.com/tucommenceapousser/CVE-2019-11932deta

https://github.com/Tabni/https-github.com-awakened1712-CVE-2019-11932

https://github.com/TulungagungCyberLink/CVE-2019-11932

https://github.com/zxn1/CVE-2019-11932

https://github.com/0759104103/cd-CVE-2019-11932

https://github.com/JasonJerry/WhatsRCE

https://github.com/primebeast/CVE-2019-11932

https://github.com/mRanonyMousTZ/CVE-2019-11932-whatsApp-exploit

https://github.com/fastmo/CVE-2019-11932

https://github.com/valbrux/CVE-2019-11932-SupportApp

https://github.com/BadAssAiras/hello

https://github.com/starling021/CVE-2019-11932-SupportApp

https://github.com/awakened1712/CVE-2019-11932

https://github.com/SmoZy92/CVE-2019-11932

https://github.com/tucommenceapousser/CVE-2019-11932

https://github.com/Err0r-ICA/WhatsPayloadRCE

https://github.com/dashtic172/https-github.com-awakened171

https://github.com/k3vinlusec/WhatsApp-Double-Free-Vulnerability_CVE-2019-11932

CVE-2024-5594
(9.1 CRITICAL)

EPSS: 0.11%

updated 2025-01-06T18:32:07

1 posts

OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

cR0w@infosec.exchange at 2025-07-01T18:34:58.000Z ##

@Sempf Are you specifically asking about EITW when the mitigation for CVE-2024-50379 was applied or regardless of the CVE-2024-50379 mitigation since CVE-2024-56337 was basically a bypass for the incomplete CVE-2024-50379 fix, right?

##

CVE-2024-56337
(9.8 CRITICAL)

EPSS: 9.71%

updated 2025-01-03T12:15:26.787000

2 posts

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to t

1 repos

https://github.com/SleepingBag945/CVE-2024-50379

cR0w@infosec.exchange at 2025-07-01T18:34:58.000Z ##

@Sempf Are you specifically asking about EITW when the mitigation for CVE-2024-50379 was applied or regardless of the CVE-2024-50379 mitigation since CVE-2024-56337 was basically a bypass for the incomplete CVE-2024-50379 fix, right?

##

Sempf@infosec.exchange at 2025-07-01T18:25:28.000Z ##

Hey vulnerability people: Any scuttlebutt on active exploitation of CVE-2024-56337? It isn't in the KEV but ... well ....

##

CVE-2024-12856
(7.2 HIGH)

EPSS: 77.16%

updated 2024-12-27T18:30:32

1 posts

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnera

1 repos

https://github.com/nu113d/CVE-2024-12856

cR0w@infosec.exchange at 2025-07-03T14:53:59.000Z ##

Oh, goodie. Another botnet. This one is exploiting CVE-2024-3721 and CVE-2024-12856 in DVRs and routers to launch DDoS attacks.

fortinet.com/blog/threat-resea

IOCs

Hosts

45[.]135[.]194[.]34
83[.]150[.]218[.]93
14[.]103[.]145[.]202
14[.]103[.]145[.]211
154[.]91[.]254[.]95
78[.]153[.]149[.]90

Files

Downloader

c88f60dbae08519f2f81bb8efa7e6016c6770e66e58d77ab6384069a515e451c
eb3e2a6a50f029fc646e2c3483157ab112f4f017406c3aabedaae0c94e0969f6
f4cd7ab04b1744babef19d147124bfc0e9e90d557408cc2d652d7192df61bda9

RondoDox

e3c080e322862d065649c468d20f620c3670d841c30c3fe5385e37f4f10172e7
e62df17150fcb7fea32ff459ef47cdd452a21269efe9252bde70377fd2717c10
53e2c2d83813d1284ddb8c68b1572b17cca95cfc36a55a7517bf45ff40828be5
43d4847bf237c445ed2e846a106e1f55abefef5c3a8545bd5e4cad20f5deb9a4
4c2429fc8b8ec61da41cbba1b8184ec45fa93a9841b4ca48094bba7741b826b8
694d729d67f1b0c06702490bfab1df3a96fe040fe5d07efa5c92356c329757be
edae3b75deb8013bd48ac4534cca345b90938a2abb91672467c2bf9ae81ff683
0814a0781ab30fca069a085dba201d6fd0f414498fafa4bb42859786d91d4781
59b4deee977e9e27b60e7e179d54a1ce8e56624e73b799523416eee828bfaf76
9f916a552efc6775367a31357a633dc0be01879830d3fddccdf3c40b26e50afd
0a9ebbecc8ec58c253039520304ca373cfb8d1674d67993e6485e244a77d6ec9
6c81fd73b4bef6fef379cbefdcce7f374ea7e6bf1bf0917cf4ca7b72d4cee788
a55a3859a203ca2bae7399295f92aeae61d845ffa173c1938f938f5c148eef99
57573779f9a62eecb80737d41d42165af8bb9884579c50736766abb63d2835ba
3daa53204978b7797bd53f5c964eed7a73d971517a764785ce3ab65a9423c2e7
8bf8928bc255e73e0b5b0ce13747c64d82d5f2647da129f189138773733ac21f
20a24b179bdbbdcc0053838c0484ea25eff6976f2b8cb5630ab4efb28b0f06b5
42aa715573c7d2fca01914504cb7336db715d73d1e20d23e4bd37f2e4f4fe389
c9278ce988343606350a94156ca28ee28bd605d1d95c810a16866eee1f997598
a197f60d5f5641f2c56576b4c867d141612c6e00db29c512f266835510b8a62d
8250d289c5ec87752cec1af31eed0347cf2dd54dc0fbeea645319c4dae238ee2
d02414a54e97ad26748812002610f1491a2a746e9ba0f9d05de3d47d7bab4f5e
c123a91fdacd9a4c0bcf800d6b7db5162cfd11cb71e260647ef0f2c60978ebfc
ef708fec1afbea4fb32b586e0dacf0d228c375a532008d81453c367256afea5a
305507f34c14c72cab35715b7f7b25b32352a8e19b8a283003aaf539d12ca517
937e6ab0dfcedfa23eced7b52d3899b0847df3fcb7a9c326b71027a7ab5f5b93

cc: @Dio9sys @da_667 since this seems like the kind of thing you might want to sig / tag.

##

CVE-2024-9681
(5.9 MEDIUM)

EPSS: 0.26%

updated 2024-12-13T15:31:42

1 posts

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second ho

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-9341
(5.4 MEDIUM)

EPSS: 0.26%

updated 2024-12-11T06:30:25

1 posts

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing t

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-6874
(4.3 MEDIUM)

EPSS: 0.24%

updated 2024-11-21T09:50:26.493000

2 posts

libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This

CVE-2021-4217
(3.3 LOW)

EPSS: 0.13%

updated 2024-11-21T06:37:10.350000

1 posts

A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

1 repos

https://github.com/minhnq22/CVE-2021-42171

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2019-13638
(7.8 HIGH)

EPSS: 3.45%

updated 2024-11-21T04:25:25.007000

1 posts

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2018-6951
(7.5 HIGH)

EPSS: 23.09%

updated 2024-11-21T04:11:28.273000

1 posts

An issue was discovered in GNU patch through 2.7.6. There is a segmentation fault, associated with a NULL pointer dereference, leading to a denial of service in the intuit_diff_type function in pch.c, aka a "mangled rename" issue.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-5742
(4.7 MEDIUM)

EPSS: 0.04%

updated 2024-11-12T18:30:50

1 posts

A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.

3 repos

https://github.com/ahrixia/CVE-2024-57427

https://github.com/ahrixia/CVE-2024-57428

https://github.com/ahrixia/CVE-2024-57429

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-9143
(4.3 MEDIUM)

EPSS: 0.65%

updated 2024-11-08T18:31:50

1 posts

Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "n

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-28882
(4.3 MEDIUM)

EPSS: 0.53%

updated 2024-11-02T00:37:22

1 posts

OpenVPN 2.6.10 and earlier in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-8006
(4.4 MEDIUM)

EPSS: 0.05%

updated 2024-09-19T17:46:03.447000

1 posts

Remote packet capture support is disabled by default in libpcap. When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex(). One of the function arguments can be a filesystem path, which normally means a directory with input data files. When the specified path cannot be used as a directory, the function receives NUL

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2023-7256
(4.4 MEDIUM)

EPSS: 0.05%

updated 2024-08-31T00:31:11

1 posts

In affected libpcap versions during the setup of a remote packet capture the internal function sock_initaddress() calls getaddrinfo() and possibly freeaddrinfo(), but does not clearly indicate to the caller function whether freeaddrinfo() still remains to be called after the function returns. This makes it possible in some scenarios that both the function and its caller call freeaddrinfo() for th

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-6345
(8.8 HIGH)

EPSS: 0.23%

updated 2024-08-04T05:03:40

1 posts

A vulnerability in the `package_index` module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execut

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-5535
(9.1 CRITICAL)

EPSS: 5.15%

updated 2024-07-12T15:31:25

1 posts

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from me

1 repos

https://github.com/websecnl/CVE-2024-5535

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-3721
(6.3 MEDIUM)

EPSS: 57.40%

updated 2024-04-13T12:30:30

1 posts

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260573

cR0w@infosec.exchange at 2025-07-03T14:53:59.000Z ##

Oh, goodie. Another botnet. This one is exploiting CVE-2024-3721 and CVE-2024-12856 in DVRs and routers to launch DDoS attacks.

fortinet.com/blog/threat-resea

IOCs

Hosts

45[.]135[.]194[.]34
83[.]150[.]218[.]93
14[.]103[.]145[.]202
14[.]103[.]145[.]211
154[.]91[.]254[.]95
78[.]153[.]149[.]90

Files

Downloader

c88f60dbae08519f2f81bb8efa7e6016c6770e66e58d77ab6384069a515e451c
eb3e2a6a50f029fc646e2c3483157ab112f4f017406c3aabedaae0c94e0969f6
f4cd7ab04b1744babef19d147124bfc0e9e90d557408cc2d652d7192df61bda9

RondoDox

e3c080e322862d065649c468d20f620c3670d841c30c3fe5385e37f4f10172e7
e62df17150fcb7fea32ff459ef47cdd452a21269efe9252bde70377fd2717c10
53e2c2d83813d1284ddb8c68b1572b17cca95cfc36a55a7517bf45ff40828be5
43d4847bf237c445ed2e846a106e1f55abefef5c3a8545bd5e4cad20f5deb9a4
4c2429fc8b8ec61da41cbba1b8184ec45fa93a9841b4ca48094bba7741b826b8
694d729d67f1b0c06702490bfab1df3a96fe040fe5d07efa5c92356c329757be
edae3b75deb8013bd48ac4534cca345b90938a2abb91672467c2bf9ae81ff683
0814a0781ab30fca069a085dba201d6fd0f414498fafa4bb42859786d91d4781
59b4deee977e9e27b60e7e179d54a1ce8e56624e73b799523416eee828bfaf76
9f916a552efc6775367a31357a633dc0be01879830d3fddccdf3c40b26e50afd
0a9ebbecc8ec58c253039520304ca373cfb8d1674d67993e6485e244a77d6ec9
6c81fd73b4bef6fef379cbefdcce7f374ea7e6bf1bf0917cf4ca7b72d4cee788
a55a3859a203ca2bae7399295f92aeae61d845ffa173c1938f938f5c148eef99
57573779f9a62eecb80737d41d42165af8bb9884579c50736766abb63d2835ba
3daa53204978b7797bd53f5c964eed7a73d971517a764785ce3ab65a9423c2e7
8bf8928bc255e73e0b5b0ce13747c64d82d5f2647da129f189138773733ac21f
20a24b179bdbbdcc0053838c0484ea25eff6976f2b8cb5630ab4efb28b0f06b5
42aa715573c7d2fca01914504cb7336db715d73d1e20d23e4bd37f2e4f4fe389
c9278ce988343606350a94156ca28ee28bd605d1d95c810a16866eee1f997598
a197f60d5f5641f2c56576b4c867d141612c6e00db29c512f266835510b8a62d
8250d289c5ec87752cec1af31eed0347cf2dd54dc0fbeea645319c4dae238ee2
d02414a54e97ad26748812002610f1491a2a746e9ba0f9d05de3d47d7bab4f5e
c123a91fdacd9a4c0bcf800d6b7db5162cfd11cb71e260647ef0f2c60978ebfc
ef708fec1afbea4fb32b586e0dacf0d228c375a532008d81453c367256afea5a
305507f34c14c72cab35715b7f7b25b32352a8e19b8a283003aaf539d12ca517
937e6ab0dfcedfa23eced7b52d3899b0847df3fcb7a9c326b71027a7ab5f5b93

cc: @Dio9sys @da_667 since this seems like the kind of thing you might want to sig / tag.

##

CVE-2018-20969
(7.8 HIGH)

EPSS: 0.78%

updated 2024-04-11T21:19:01

1 posts

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2023-34362
(9.8 CRITICAL)

EPSS: 94.48%

updated 2024-04-04T04:29:06

1 posts

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an

Nuclei template

11 repos

https://github.com/errorfiathck/MOVEit-Exploit

https://github.com/aditibv/MOVEit-CVE-2023-34362

https://github.com/Chinyemba-ck/MOVEit-CVE-2023-34362

https://github.com/sfewer-r7/CVE-2023-34362

https://github.com/kenbuckler/MOVEit-CVE-2023-34362

https://github.com/toorandom/moveit-payload-decrypt-CVE-2023-34362

https://github.com/glen-pearson/MoveIT-CVE-2023-34362-RCE

https://github.com/horizon3ai/CVE-2023-34362

https://github.com/lithuanian-g/cve-2023-34362-iocs

https://github.com/deepinstinct/MOVEit_CVE-2023-34362_IOCs

https://github.com/Malwareman007/CVE-2023-34362

cR0w@infosec.exchange at 2025-07-01T17:58:48.000Z ##

Okay, I spent some time going through some of my MOVEit logs and I think I see at least part of what's going on with the increase in MOVEit scans noted by @greynoise.

One thing I have noticed is a group of GCP hosts performing high volume scans against the MOVEit servers every seven days, but not against adjacent servers or other servers for the same orgs. This kind of makes it look targeted but the scans are generic kitchen sink vuln scans.

I did notice that some of these and other scanners I've seen over the past few months now have a couple requests that appear to be testing for CVE-2023-34362 mixed in to their other requests. It's like they loaded their automated scanners with updated payload lists.

There are a lot of Cloudflare and AWS IPs in the logs, as indicated by GreyNoise in their blog post. There are not a lot of unique Google IPs but I'm seeing a ton of noise from the ones I do see. But only every seven days. The servers I have logs for all block Tencent so I can't confirm the activity from their infrastructure.

I have also put my juicy eyes on every single GET and POST sent to these MOVEit Transfer servers for the past 60 days and I do not see any payloads that appear to be new or novel. That's not to say there isn't anything new going on, but I'm now comfortable with treating MOVEit servers with the same concern as before the GreyNoise blog post as I don't see any indication of impending action. There may be some WAF or rate limit or geolocation filter testing going on that's disguised as generic scans, but I have no evidence to suggest that's the case.

Caveat: I have relatively low visibility into what's going on at scale like GreyNoise does so take this with a grain of salt and if it's of interest, go confirm it yourself. This is intended to be informational, not actionable.

#threatIntel #MOVEit

##

CVE-2019-13636
(5.9 MEDIUM)

EPSS: 5.07%

updated 2024-04-04T01:17:53

1 posts

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2019-13232
(3.3 LOW)

EPSS: 0.08%

updated 2024-04-04T01:11:32

1 posts

Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2019-9621
(7.5 HIGH)

EPSS: 91.81%

updated 2024-04-04T00:24:27

6 posts

Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.

1 repos

https://github.com/k8gege/ZimbraExploit

AAKL at 2025-07-07T18:10:09.246Z ##

CISA has updated the KEV catalogue.

- CVE-2014-3931: Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2014-

- CVE-2016-10033: PHPMailer Command Injection Vulnerability cve.org/CVERecord?id=CVE-2016-

- CVE-2019-5418: Rails Ruby on Rails Path Traversal Vulnerability cve.org/CVERecord?id=CVE-2019-

- CVE-2019-9621: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability cve.org/CVERecord?id=CVE-2019-

##

cR0w at 2025-07-07T18:03:41.105Z ##

Four old CVEs added to the CISA KEV Catalog today:
CVE-2014-3931
CVE-2016-10033
CVE-2019-5418
CVE-2019-9621

##

cisakevtracker@mastodon.social at 2025-07-07T18:01:11.000Z ##

CVE ID: CVE-2019-9621
Vendor: Synacor
Product: Zimbra Collaboration Suite (ZCS)
Date Added: 2025-07-07
Notes: wiki.zimbra.com/wiki/Zimbra_Se ; wiki.zimbra.com/wiki/Security_ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

AAKL@infosec.exchange at 2025-07-07T18:10:09.000Z ##

CISA has updated the KEV catalogue.

- CVE-2014-3931: Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2014-

- CVE-2016-10033: PHPMailer Command Injection Vulnerability cve.org/CVERecord?id=CVE-2016-

- CVE-2019-5418: Rails Ruby on Rails Path Traversal Vulnerability cve.org/CVERecord?id=CVE-2019-

- CVE-2019-9621: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability cve.org/CVERecord?id=CVE-2019- #CISA #cybersecurity #infosec

##

cR0w@infosec.exchange at 2025-07-07T18:03:41.000Z ##

Four old CVEs added to the CISA KEV Catalog today:
CVE-2014-3931
CVE-2016-10033
CVE-2019-5418
CVE-2019-9621

##

cisakevtracker@mastodon.social at 2025-07-07T18:01:11.000Z ##

CVE ID: CVE-2019-9621
Vendor: Synacor
Product: Zimbra Collaboration Suite (ZCS)
Date Added: 2025-07-07
Notes: wiki.zimbra.com/wiki/Zimbra_Se ; wiki.zimbra.com/wiki/Security_ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2010-2772
(7.8 HIGH)

EPSS: 0.08%

updated 2024-02-22T05:08:16

1 posts

Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded password, which allows local users to access a back-end database and gain privileges, as demonstrated in the wild in July 2010 by the Stuxnet worm, a different vulnerability than CVE-2010-2568.

maxeddy@infosec.exchange at 2025-07-02T14:44:17.000Z ##

Other options:
Exfiltrator
Malicious Payload
CVE-2010-2772

##

CVE-2024-25062
(7.5 HIGH)

EPSS: 0.15%

updated 2024-02-22T05:07:56

1 posts

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2024-0684
(5.5 MEDIUM)

EPSS: 0.07%

updated 2024-02-14T00:35:42

1 posts

A flaw was found in the GNU coreutils "split" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.

1 repos

https://github.com/Valentin-Metz/writeup_split

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2022-0529
(7.8 HIGH)

EPSS: 0.20%

updated 2023-10-30T12:30:30

1 posts

A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of wide string to local string that leads to a heap of out-of-bound writes. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

2 repos

https://github.com/nanaao/unzip_poc

https://github.com/ByteHackr/unzip_poc

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2022-0530
(7.8 HIGH)

EPSS: 0.09%

updated 2023-10-30T12:30:30

1 posts

A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of an utf-8 string to a local string that leads to a segmentation fault. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

2 repos

https://github.com/nanaao/unzip_poc

https://github.com/ByteHackr/unzip_poc

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2022-38392
(5.3 MEDIUM)

EPSS: 0.08%

updated 2023-09-18T05:03:19

1 posts

A certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005, allows physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video.

paco@infosec.exchange at 2025-07-03T15:15:10.000Z ##

Somehow I missed this CVE when it came out in 2022.

I think it's called a Jackson-in-the-Middle attack.

Certain 5400 RPM hard drives, ... allow physically proximate attackers to cause a ... device malfunction ... via a resonant-frequency attack with the audio signal from the Rhythm Nation music video.

I like that CVE links to a YouTube video where someone tried to reproduce it.

#CVE #NVD #JanetJackson

##

CVE-2019-5418
(7.5 HIGH)

EPSS: 94.23%

updated 2023-08-17T05:02:29

6 posts

# File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified ac

Nuclei template

12 repos

https://github.com/omarkurt/CVE-2019-5418

https://github.com/brompwnie/CVE-2019-5418-Scanner

https://github.com/W01fh4cker/Serein

https://github.com/ztgrace/CVE-2019-5418-Rails3

https://github.com/mpgn/CVE-2019-5418

https://github.com/daehyeok0618/CVE-2019-5418

https://github.com/takeokunn/CVE-2019-5418

https://github.com/Bad3r/RailroadBandit

https://github.com/NotoriousRebel/RailRoadBandit

https://github.com/mpgn/Rails-doubletap-RCE

https://github.com/kailing0220/CVE-2019-5418

https://github.com/random-robbie/CVE-2019-5418

AAKL at 2025-07-07T18:10:09.246Z ##

CISA has updated the KEV catalogue.

- CVE-2014-3931: Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2014-

- CVE-2016-10033: PHPMailer Command Injection Vulnerability cve.org/CVERecord?id=CVE-2016-

- CVE-2019-5418: Rails Ruby on Rails Path Traversal Vulnerability cve.org/CVERecord?id=CVE-2019-

- CVE-2019-9621: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability cve.org/CVERecord?id=CVE-2019-

##

cR0w at 2025-07-07T18:03:41.105Z ##

Four old CVEs added to the CISA KEV Catalog today:
CVE-2014-3931
CVE-2016-10033
CVE-2019-5418
CVE-2019-9621

##

cisakevtracker@mastodon.social at 2025-07-07T18:01:27.000Z ##

CVE ID: CVE-2019-5418
Vendor: Rails
Product: Ruby on Rails
Date Added: 2025-07-07
Notes: web.archive.org/web/2019031320 ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

AAKL@infosec.exchange at 2025-07-07T18:10:09.000Z ##

CISA has updated the KEV catalogue.

- CVE-2014-3931: Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2014-

- CVE-2016-10033: PHPMailer Command Injection Vulnerability cve.org/CVERecord?id=CVE-2016-

- CVE-2019-5418: Rails Ruby on Rails Path Traversal Vulnerability cve.org/CVERecord?id=CVE-2019-

- CVE-2019-9621: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability cve.org/CVERecord?id=CVE-2019- #CISA #cybersecurity #infosec

##

cR0w@infosec.exchange at 2025-07-07T18:03:41.000Z ##

Four old CVEs added to the CISA KEV Catalog today:
CVE-2014-3931
CVE-2016-10033
CVE-2019-5418
CVE-2019-9621

##

cisakevtracker@mastodon.social at 2025-07-07T18:01:27.000Z ##

CVE ID: CVE-2019-5418
Vendor: Rails
Product: Ruby on Rails
Date Added: 2025-07-07
Notes: web.archive.org/web/2019031320 ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2018-6952
(7.5 HIGH)

EPSS: 16.66%

updated 2023-02-02T05:03:20

1 posts

A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2015-7696(CVSS UNKNOWN)

EPSS: 31.45%

updated 2023-02-01T05:08:13

1 posts

Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2016-9844
(4.0 None)

EPSS: 10.18%

updated 2023-02-01T05:08:12

1 posts

Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2018-18384
(5.5 MEDIUM)

EPSS: 2.94%

updated 2023-02-01T05:07:51

1 posts

Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2020-16120(CVSS UNKNOWN)

EPSS: 0.06%

updated 2023-01-29T05:05:39

1 posts

Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by co

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2019-20633(CVSS UNKNOWN)

EPSS: 0.14%

updated 2023-01-29T05:02:02

1 posts

GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.

certvde at 2025-07-08T07:10:37.853Z ##

VDE-2025-053
Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

CVE-2024-12084, CVE-2024-52533, CVE-2025-0665, CVE-2024-5535, CVE-2024-38428, CVE-2024-5594, CVE-2024-6345, CVE-2025-24965, CVE-2019-13638, CVE-2018-20969, CVE-2018-6952, CVE-2024-6232, CVE-2024-25062, CVE-2024-6119, CVE-2024-12705, CVE-2024-12085, CVE-2024-8176, CVE-2018-6951, CVE-2015-7696, CVE-2025-26465, CVE-2024-5742, CVE-2024-12087, CVE-2024-10524, CVE-2024-12088, CVE-2024-12086, CVE-2019-13636, CVE-2024-50602, CVE-2024-9681, CVE-2025-26466, CVE-2024-9287, CVE-2024-12747, CVE-2022-0529, CVE-2019-20633, CVE-2024-0684, CVE-2022-0530, CVE-2018-18384, CVE-2024-9341, CVE-2023-27043, CVE-2024-12133, CVE-2020-16120, CVE-2024-10918, CVE-2023-7256, CVE-2024-8006, CVE-2024-28882, CVE-2024-9143, CVE-2015-7697, CVE-2016-9844, CVE-2024-11053, CVE-2025-0167, CVE-2019-13232, CVE-2021-4217, CVE-2025-27113

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-25271
(0 None)

EPSS: 0.00%

1 posts

N/A

certvde at 2025-07-08T07:09:16.432Z ##

VDE-2025-019
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

CVE-2025-25270, CVE-2025-25268, CVE-2025-25271, CVE-2025-25269

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-25268
(0 None)

EPSS: 0.00%

1 posts

N/A

certvde at 2025-07-08T07:09:16.432Z ##

VDE-2025-019
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

CVE-2025-25270, CVE-2025-25268, CVE-2025-25271, CVE-2025-25269

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-24005
(0 None)

EPSS: 0.00%

1 posts

N/A

certvde at 2025-07-08T07:08:52.104Z ##

VDE-2025-014
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

CVE-2025-24003, CVE-2025-24005, CVE-2025-24006, CVE-2025-24002, CVE-2025-24004

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-24006
(0 None)

EPSS: 0.00%

1 posts

N/A

certvde at 2025-07-08T07:08:52.104Z ##

VDE-2025-014
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

CVE-2025-24003, CVE-2025-24005, CVE-2025-24006, CVE-2025-24002, CVE-2025-24004

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-24004
(0 None)

EPSS: 0.00%

1 posts

N/A

certvde at 2025-07-08T07:08:52.104Z ##

VDE-2025-014
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

CVE-2025-24003, CVE-2025-24005, CVE-2025-24006, CVE-2025-24002, CVE-2025-24004

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

CVE-2025-24003
(0 None)

EPSS: 0.00%

1 posts

N/A

certvde at 2025-07-08T07:08:52.104Z ##

VDE-2025-014
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

CVE-2025-24003, CVE-2025-24005, CVE-2025-24006, CVE-2025-24002, CVE-2025-24004

certvde.com/en/advisories/VDE-

phoenixcontact.csaf-tp.certvde

##

_r_netsec at 2025-07-08T04:13:06.067Z ##

What the NULL?! Wing FTP Server RCE (CVE-2025-47812) rcesecurity.com/2025/06/what-t

##

_r_netsec@infosec.exchange at 2025-07-08T04:13:06.000Z ##

What the NULL?! Wing FTP Server RCE (CVE-2025-47812) rcesecurity.com/2025/06/what-t

##

beyondmachines1@infosec.exchange at 2025-07-04T08:01:18.000Z ##

Critical vulnerability in Wing FTP Server enables remote code execution, server takeover

A maximum-severity vulnerability (CVE-2025-47812) in Wing FTP Server allows unauthenticated attackers to achieve complete system compromise through NULL byte injection in the username parameter at the /loginok.html endpoint, enabling arbitrary Lua code execution with root or SYSTEM privileges.

**If you're running Wing FTP Server (any version up to 7.4.3), time to make an URGENT patch, because hackers can easily hijack the entire server. Immediately update to version 7.4.4 or isolate the server from the internet, then plan a quick patch. Patching for this issue is not optional!**
#cybersecurity #infosec #advisory #vulnerability
beyondmachines.net/event_detai

##

DarkWebInformer@infosec.exchange at 2025-07-01T21:51:59.000Z ##

🚨CVE-2025-47812: Wing FTP Server Remote Code Execution (RCE) Exploit

Link: github.com/4m3rr0r/CVE-2025-47

Writeup: rcesecurity.com/2025/06/what-t

##

campuscodi@mastodon.social at 2025-07-01T17:04:21.000Z ##

RCE Security has found major vulnerabilities in the Wind FTP server.

Attackers can bypass authentication on the server's web interface just by appending a NULL byte to the username followed by any random string.

rcesecurity.com/2025/06/what-t

##

CVE-2025-48952
(0 None)

EPSS: 0.06%

3 posts

N/A

DarkWebInformer at 2025-07-07T19:40:07.058Z ##

🚨CVE-2025-48952: NetAlertX Password Bypass Vulnerability due to Loose Comparison in PHP

PoC and Advisory: github.com/jokob-sk/NetAlertX/

Details: cvedetails.com/cve/CVE-2025-48

CVSS: 9.4

##

DarkWebInformer@infosec.exchange at 2025-07-07T19:40:07.000Z ##

🚨CVE-2025-48952: NetAlertX Password Bypass Vulnerability due to Loose Comparison in PHP

PoC and Advisory: github.com/jokob-sk/NetAlertX/

Details: cvedetails.com/cve/CVE-2025-48

CVSS: 9.4

##

cR0w@infosec.exchange at 2025-07-04T23:15:31.000Z ##

LOL. Whoopsie.

github.com/jokob-sk/NetAlertX/

sev:CRIT 9.4 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

NetAlertX is a network, presence scanner, and alert framework. Prior to version 25.6.7, a vulnerability in the authentication logic allows users to bypass password verification using SHA-256 magic hashes, due to loose comparison in PHP. In vulnerable versions of the application, a password comparison is performed using the == operator at line 40 in front/index.php. This introduces a security issue where specially crafted "magic hash" values that evaluate to true in a loose comparison can bypass authentication. Because of the use of == instead of the strict ===, different strings that begin with 0e and are followed by only digits can be interpreted as scientific notation (i.e., zero) and treated as equal. This issue falls under the Login Bypass vulnerability class. Users with certain "weird" passwords that produce magic hashes are particularly affected. Services relying on this logic are at risk of unauthorized access. Version 25.6.7 fixes the vulnerability.

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-53536
(0 None)

EPSS: 0.00%

2 posts

N/A

cR0w at 2025-07-07T18:12:41.826Z ##

github.com/RooCodeInc/Roo-Code

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

If the victim had "Write" auto-approved an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it.

Roo Code allows Potential Remote Code Execution via .vscode/settings.json

nvd.nist.gov/vuln/detail/CVE-2

##

cR0w@infosec.exchange at 2025-07-07T18:12:41.000Z ##

github.com/RooCodeInc/Roo-Code

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

If the victim had "Write" auto-approved an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it.

Roo Code allows Potential Remote Code Execution via .vscode/settings.json

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2025-1735
(0 None)

EPSS: 0.00%

1 posts

N/A

PostgreSQL@activitypub.awakari.com at 2025-07-04T08:50:27.000Z ## Critical PHP Vulnerabilities Expose Systems to SQL Injection & DoS Attacks – Update Immediately A newly disclosed security vulnerability (CVE-2025-1735) in the PHP pgsql extension has raised ...

#Cyber #Security #News #Cybersecurity #Dos #Attack #SQL #Cyber #Security #Cyber #security

Origin | Interest | Match ##

CVE-2025-0038
(0 None)

EPSS: 0.00%

1 posts

N/A

AAKL@infosec.exchange at 2025-07-02T15:22:27.000Z ##

AMD advisory, from yesterday. Medium severity:

CVE-2025-0038:  Zynq™ UltraScale+™ SoC Overwriting Protected Memory Regions Through PMU Firmware amd.com/en/resources/product-s #AMD #cybersecurity #infosec

##

CVE-2025-49588
(0 None)

EPSS: 0.04%

1 posts

N/A

cR0w@infosec.exchange at 2025-07-02T14:53:02.000Z ##

Hilarious LFI in Linkwarden.

github.com/linkwarden/linkward

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In version 2.10.2, the server accepts links of format file:///etc/passwd and doesn't do any validation before sending them to parsers and playwright, this can result in leak of other user's links (and in some cases it might be possible to leak environment secrets). This issue has been patched in version 2.10.3 which has not been made public at time of publication.

nvd.nist.gov/vuln/detail/CVE-2

##

_r_netsec@infosec.exchange at 2025-07-02T10:43:06.000Z ##

Remote code execution in CentOS Web Panel - CVE-2025-48703 fenrisk.com/rce-centos-webpanel

##

golang@activitypub.awakari.com at 2025-07-01T07:00:00.000Z ## Notepad++ 8.8.2 available The update fixes a security vulnerability and much more. An update to version 8.8.2 is available for Notepad++ . This is also a security update that fixes CVE-2025-49144 ....

#News

Origin | Interest | Match ##

ChrisShort@hachyderm.io at 2025-06-30T22:24:31.000Z ##

CVE Record: CVE-2025-49144 - Notepad++ Privilege Escalation In Installer Via Uncontrolled Executable Search Path #SuggestedRead #devopsish cve.org/CVERecord?id=CVE-2025-

##

CVE-2025-53100
(0 None)

EPSS: 0.97%

1 posts

N/A

cR0w@infosec.exchange at 2025-07-01T18:05:11.000Z ##

Go hack more MCP shit.

github.com/RestDB/codehooks-mc

sev:HIGH 8.6 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

RestDB's Codehooks.io MCP Server is an MCP server on the Codehooks.io platform. Prior to version 0.2.2, the MCP server is written in a way that is vulnerable to command injection attacks as part of some of its MCP Server tools definition and implementation. This could result in a user initiated remote command injection attack on a running MCP Server. This issue has been patched in version 0.2.2.

nvd.nist.gov/vuln/detail/CVE-2

##

Visit counter For Websites