SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 25ISSUE 20
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
New Variant of Crypto Confidence Scam
Published: 2025-05-21
Last Updated: 2025-05-21 15:26:09 UTC
by Johannes Ullrich (Version: 1)
In February, we had a few diaries about crypto wallet scams. We saw these scams use YouTube comments, but they happened via other platforms and messaging systems, not just YouTube. The scam was a bit convoluted: The scammer posted the secret key to their crypto wallet. Usually, this would put their crypto wallet at risk of being emptied. But the wallet they used came with a twist: A second key was required. The scammer counted on the victim paying the transaction fee, which the scammer would receive, before attempting to withdraw the funds.
This is a classic "confidence scheme" or "advance fee" scheme. The victim believes they are scamming the attacker out of their money. Instead, they are being robbed. These types of scams are amazingly successful in real life and online. They rely on greedy victims attempting to get something for free (or cheap).
I recently started seeing a new variation of this scam, this time mostly via X direct messages ...
Read the full entry: https://isc.sans.edu/diary/New+Variant+of+Crypto+Confidence+Scam/31968/
Researchers Scanning the Internet
Published: 2025-05-20
Last Updated: 2025-05-20 13:59:12 UTC
by Johannes Ullrich (Version: 1)
We have been using our data to identify researchers scanning the internet for a few years. Currently, we are tracking 36 groups performing such scans, and our data feed of the IP addresses used contains around 33k addresses.
Of course, no clear definition of when a scan is inappropriate exists. Some consider any scan performed nationally and without permission to be unethical. Others have a higher bar, for example, considering scans appropriate if they do not exploit vulnerabilities or cause damage. Legal frameworks vary around the world.
Earlier today, Caleb reminded me of RFC 9511, which I believe offers some good ideas and should be considered if you plan to perform an internet-wide scan. The RFC is entitled "Attribution of Internet Probes." It gets to one of the main issues: Identify yourself if you are performing these scans. This way, if you are causing problems, targets can contact you. This should be a minimum requirement to limit unintentional damage.
Can a simple "scan" cause damage? Of course, it can! We had plenty of examples of such scans causing problems. My favorite example is an old Cisco bug that caused routers to crash if they were scanned with empty UDP packets.
RFC9511 suggests adding a URL to your probe packets and a probe description file at "/.well-known/probing.txt." The IP address the probe originates from should reverse resolve to a hostname, and the probe description file can be found at that hostname. Alternatively, the host the probe originates from should run a web server offering the file. Or the probe description URL should be included as a payload.
For web-based scanning, I see many scanners adding a URL to the user-agent header, which I think fulfills what RFC 9511 is attempting to achieve ...
Read the full entry: https://isc.sans.edu/diary/Researchers+Scanning+the+Internet/31964/
Web Scanning SonicWall for CVE-2021-20016 - Update
Published: 2025-05-14
Last Updated: 2025-05-15 01:23:29 UTC
by Guy Bruneau (Version: 1)
I published on the 29 Apr 2025 a diary on scanning activity looking for SonicWall and since this publication this activity has grown 10-fold. Over the past 14 days, several BACS students have reported activity related to SonicWall scans all related for the same 2 URLs previously mentioned in my last diary. My own DShield sensor was probed by 25 separate IPs during those last 14 days. The three most active IPs were all from the same subnet ...
Read the full entry: https://isc.sans.edu/diary/Web+Scanning+SonicWall+for+CVE202120016+Update/31952/
Internet Storm Center Entries
RAT Dropped By Two Layers of AutoIT Code (2025.05.19)
https://isc.sans.edu/diary/RAT+Dropped+By+Two+Layers+of+AutoIT+Code/31960/
xorsearch.py: Python Functions (2025.05.17)
https://isc.sans.edu/diary/xorsearchpy+Python+Functions/31858/
Microsoft Patch Tuesday: May 2025 (2025.05.13)
https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+May+2025/31946/
Apple Updates Everything: May 2025 Edition (2025.05.12)
https://isc.sans.edu/diary/Apple+Updates+Everything+May+2025+Edition/31942/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2025-32756 - Fortinet FortiVoice, FortiRecorder, FortiMail, FortiNDR, and FortiCamera are vulnerable to a stack-based buffer overflow allowing remote attackers to execute arbitrary code via specially crafted HTTP requests.
Product: Multiple Fortinet products
CVSS Score: 9.8
** KEV since 2025-05-14 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32756
ISC Podcast: https://isc.sans.edu/podcastdetail/9450
NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-25-254
CVE-2021-20016 - SonicWall SSLVPN SMA100 SQL Injection Vulnerability
Product: Sonicwall SMA_500V
CVSS Score: 0
** KEV since 2021-11-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-20016
ISC Podcast: https://isc.sans.edu/podcastdetail/9454
CVE-2025-42999 - SAP NetWeaver Visual Composer Metadata Uploader is vulnerable to upload of untrusted content that could compromise system confidentiality, integrity, and availability.
Product: Sap NetWeaver
CVSS Score: 9.1
** KEV since 2025-05-15 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42999
NVD References:
- https://me.sap.com/notes/3604119
- https://url.sap/sapsecuritypatchday
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
CVE-2025-4428 - Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows authenticated attackers to execute arbitrary code through crafted API requests.
Product: Ivanti Endpoint Manager Mobile
CVSS Score: 7.2
** KEV since 2025-05-19 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4428
ISC Podcast: https://isc.sans.edu/podcastdetail/9450
NVD References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM
CVE-2025-4427 - Ivanti Endpoint Manager Mobile 12.5.0.0 and prior is vulnerable to an authentication bypass in its API component, allowing attackers to access protected resources without proper credentials.
Product: Ivanti Endpoint Manager Mobile
CVSS Score: 5.3
** KEV since 2025-05-19 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4427
ISC Podcast: https://isc.sans.edu/podcastdetail/9450
NVD References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM
CVE-2025-4664 - Google Chrome Loader had a high severity vulnerability allowing a remote attacker to leak cross-origin data via a crafted HTML page.
Product: Google Chrome
CVSS Score: 4.3
** KEV since 2025-05-15 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4664
ISC Podcast: https://isc.sans.edu/podcastdetail/9454
NVD References:
- https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html
CVE-2025-30397 - Microsoft Scripting Engine is vulnerable to type confusion, enabling unauthorized attackers to execute code over a network.
Product: Microsoft Windows 10 1507
CVSS Score: 7.5
** KEV since 2025-05-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30397
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397
CVE-2025-30400 - Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.
Product: Microsoft Windows 10 1809
CVSS Score: 7.8
** KEV since 2025-05-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30400
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30400
CVE-2025-32701 - Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
Product: Microsoft Windows 10 1507
CVSS Score: 7.8
** KEV since 2025-05-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32701
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32701
CVE-2025-32706 - Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
Product: Microsoft Windows 10 1507
CVSS Score: 7.8
** KEV since 2025-05-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32706
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32706
CVE-2025-32709 - Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Product: Microsoft Windows 10 1507
CVSS Score: 7.8
** KEV since 2025-05-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32709
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32709
CVE-2023-49641 - Billing Software v1.0 has multiple Unauthenticated SQL Injection vulnerabilities due to lack of filtering in the 'username' parameter of loginCheck.php.
Product: Kashipara Billing Software v1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49641
NVD References:
CVE-2025-4632 - Samsung MagicINFO 9 Server before version 21.1052 allows attackers to write arbitrary files with system authority by improperly limiting pathnames to restricted directories.
Product: Samsung MagicINFO 9 Server
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4632
NVD References: https://security.samsungtv.com/securityUpdates#SVP-MAY-2025
CVE-2025-26389 - OZW672 and OZW772 are vulnerable to a remote code execution attack due to unsanitized input parameters in the `exportDiagramPage` endpoint, potentially granting unauthorized root access.
Product: OZW OZW672 and OZW772
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26389
NVD References: https://cert-portal.siemens.com/productcert/html/ssa-047424.html
CVE-2025-26390 - OZW672 and OZW772 are vulnerable to SQL injection, allowing an unauthenticated remote attacker to bypass authentication and authenticate as Administrator user.
Product: OZW OZW672 and OZW772
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26390
NVD References: https://cert-portal.siemens.com/productcert/html/ssa-047424.html
CVE-2025-32469, CVE-2025-33024, CVE-2025-33025 - RUGGEDCOM ROX series devices are vulnerable to command injection
Product: Siemens RUGGEDCOM
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32469
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-33024
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-33025
NVD References: https://cert-portal.siemens.com/productcert/html/ssa-301229.html
CVE-2025-44831 - EngineerCMS v1.02 through v2.0.5 has a SQL injection vulnerability in the /project/addproject interface.
Product: EngineerCMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-44831
NVD References: https://github.com/3xxx/engineercms/issues/91
CVE-2024-46506 - NetAlertX 23.01.14 through 24.x before 24.10.12 is susceptible to unauthenticated command injection via settings update due to a missing authentication requirement, seen in a real exploitation in May 2025.
Product: NetAlertX 23.01.14 through 24.x before 24.10.12CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46506NVD References: - https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/- https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/CVE-2025-22462 - Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2, and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system through an authentication bypass.Product: Ivanti Neurons for ITSMCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22462NVD References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-on-premises-only-CVE-2025-22462CVE-2025-28056 - rebuild v3.9.0 through v3.9.3 has a SQL injection vulnerability in /admin/admin-cli/exec component.Product: rebuild v3.9.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28056NVD References: - https://gist.github.com/LTLTLXEY/c34dc785fc24f4cbb026e2ef3d7660c4- https://github.com/getrebuild/rebuild/issues/866CVE-2025-45857 - EDIMAX CV7428NS v1.20 is vulnerable to remote code execution (RCE) through the command parameter in the mp function.Product: EDIMAX CV7428NSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45857NVD References: - https://github.com/Jiangxiazhe/IOT_hack/blob/main/EDIMAX/CV7428NS/1.md- https://www.edimax.com/CVE-2025-45858 - TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function.Product: TOTOLINK A3002RCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45858NVD References: - https://github.com/Jiangxiazhe/IOT_hack/blob/main/TOTOLINK/A3002R/injection1.md- https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/258/ids/36.htmlCVE-2025-45861, CVE-2025-45865, CVE-2025-45863 - TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain multiple buffer overflow vulnerabilities.Product: Totolink A3002RCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45861NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45865NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45863NVD References: - https://github.com/Jiangxiazhe/IOT_hack/blob/main/TOTOLINK/A3002R/3/overflow.md- https://github.com/Jiangxiazhe/IOT_hack/blob/main/TOTOLINK/A3002R/6/overflow.md- https://github.com/Jiangxiazhe/IOT_hack/blob/main/TOTOLINK/A3002R/5/overflow.md- https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/258/ids/36.htmlCVE-2025-30387 - Azure vulnerability allows unauthorized attackers to elevate privileges through improper limitation of pathnames.Product: Microsoft Azure AI Document Intelligence StudioCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30387NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30387CVE-2025-4660 - SecureConnector for Windows is vulnerable to remote code execution due to improper access controls on a named pipe, allowing any network-based attacker to connect without authentication and issue commands via the SecureConnector Agent.Product: Forescout SecureConnectorCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4660NVD References: https://forescout.my.site.com/support/s/article/CVE-2025-45746 - ZKT ZKBio CVSecurity 6.4.1_R allows unauthenticated attackers to create JWT tokens with a hardcoded secret for unauthorized access to the service console.Product: ZKT ZKBio CVSecurityCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45746NVD References: - http://zkbio.com- https://github.com/mrojz/ZKT-Bio-CVSecurity/blob/main/CVE-2025-45746.mdCVE-2025-43559 & CVE-2025-43560 - ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are vulnerable to Improper Input Validation issues allowing for arbitrary code execution by a high-privileged attacker without user interaction.Product: Adobe ColdFusionCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43559NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43560NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-52.htmlCVE-2025-43561 - ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability allowing high-privileged attackers to execute arbitrary code without user interaction.Product: Adobe ColdFusionCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43561NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-52.htmlCVE-2025-43562 - ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an OS Command Injection vulnerability allowing arbitrary code execution by high-privileged attackers.Product: Adobe ColdFusionCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43562NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-52.htmlCVE-2025-43563 & CVE-2025-43564 - ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are vulnerable to Improper …
cve-2024-46506 - rce-in-netalertx/
CVE-2025-22462 - Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2, and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system through an authentication bypass.
Product: Ivanti Neurons for ITSM
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22462
NVD References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-on-premises-only-CVE-2025-22462
CVE-2025-28056 - rebuild v3.9.0 through v3.9.3 has a SQL injection vulnerability in /admin/admin-cli/exec component.
Product: rebuild v3.9.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28056
NVD References:
- https://gist.github.com/LTLTLXEY/c34dc785fc24f4cbb026e2ef3d7660c4
CVE-2025-45857 - EDIMAX CV7428NS v1.20 is vulnerable to remote code execution (RCE) through the command parameter in the mp function.
Product: EDIMAX CV7428NS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45857
NVD References:
- https://github.com/Jiangxiazhe/IOT_hack/blob/main/EDIMAX/CV7428NS/1.md
CVE-2025-45858 - TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function.
Product: TOTOLINK A3002R
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45858
NVD References:
- https://github.com/Jiangxiazhe/IOT_hack/blob/main/TOTOLINK/A3002R/injection1.md
- https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/258/ids/36.html
CVE-2025-45861, CVE-2025-45865, CVE-2025-45863 - TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain multiple buffer overflow vulnerabilities.
Product: Totolink A3002R
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45861
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45865
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45863
NVD References:
- https://github.com/Jiangxiazhe/IOT_hack/blob/main/TOTOLINK/A3002R/3/overflow.md
- https://github.com/Jiangxiazhe/IOT_hack/blob/main/TOTOLINK/A3002R/6/overflow.md
- https://github.com/Jiangxiazhe/IOT_hack/blob/main/TOTOLINK/A3002R/5/overflow.md
- https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/258/ids/36.html
CVE-2025-30387 - Azure vulnerability allows unauthorized attackers to elevate privileges through improper limitation of pathnames.
Product: Microsoft Azure AI Document Intelligence Studio
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30387
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30387
CVE-2025-4660 - SecureConnector for Windows is vulnerable to remote code execution due to improper access controls on a named pipe, allowing any network-based attacker to connect without authentication and issue commands via the SecureConnector Agent.
Product: Forescout SecureConnector
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4660
NVD References: https://forescout.my.site.com/support/s/article/
CVE-2025-45746 - ZKT ZKBio CVSecurity 6.4.1_R allows unauthenticated attackers to create JWT tokens with a hardcoded secret for unauthorized access to the service console.
Product: ZKT ZKBio CVSecurity
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45746
NVD References:
- https://github.com/mrojz/ZKT-Bio-CVSecurity/blob/main/CVE-2025-45746.md
CVE-2025-43559 & CVE-2025-43560 - ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are vulnerable to Improper Input Validation issues allowing for arbitrary code execution by a high-privileged attacker without user interaction.
Product: Adobe ColdFusion
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43559
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43560
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-52.html
CVE-2025-43561 - ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability allowing high-privileged attackers to execute arbitrary code without user interaction.
Product: Adobe ColdFusion
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43561
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-52.html
CVE-2025-43562 - ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an OS Command Injection vulnerability allowing arbitrary code execution by high-privileged attackers.
Product: Adobe ColdFusion
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43562
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-52.html
CVE-2025-43563 & CVE-2025-43564 - ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are vulnerable to Improper Access Control flaws allowing unauthorized file system access without user interaction.
Product: Adobe ColdFusion
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43563
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43564
NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-52.html
CVE-2025-43567 - Adobe Connect versions 12.8 and earlier are vulnerable to a reflected Cross-Site Scripting (XSS) attack, allowing an attacker to inject malicious scripts into form fields and potentially execute malicious JavaScript on a victim's browser.
Product: Adobe Connect
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43567
NVD References: https://helpx.adobe.com/security/products/connect/apsb25-36.html
CVE-2024-24780 - Apache IoTDB is vulnerable to Remote Code Execution with untrusted URI in UDF, allowing attackers with privilege to register malicious functions from untrusted sources, affecting versions 1.0.0 to 1.3.3, users are advised to update to version 1.3.4 to mitigate the risk.
Product: Apache IoTDB
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-24780
NVD References:
- https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj
CVE-2025-47777 - 5ire is vulnerable to stored cross-site scripting in chatbot responses prior to version 0.11.1, leading to potential Remote Code Execution via unsafe Electron protocol handling.
Product: 5ire client
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47777
NVD References:
- https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8
CVE-2025-47781 - Rallly's authentication mechanism is vulnerable to brute force attacks due to a weak 6-digit token-based authentication system with no brute force protection.
Product: Rallly
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47781
NVD References: https://github.com/lukevella/rallly/security/advisories/GHSA-gm8g-3r3j-48hv
CVE-2025-32363 - mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data.
Product: mediDOK
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32363
NVD References:
- https://medidok.de/aktuelles-neuigkeiten/
- https://medidok.de/neueversionen/update-medidok-2-5-18-43-verfugbar/
CVE-2025-27891 - Samsung Exynos processors and modems are vulnerable to out-of-bounds reads via malformd NAS packets due to a lack of length check.
Product: Samsung Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27891
NVD References:
- https://semiconductor.samsung.com/support/quality-support/product-security-updates/
- https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-27891/
CVE-2025-47884 - Jenkins OpenID Connect Provider Plugin allows attackers to craft build ID Tokens with overridden environment values, potentially granting unauthorized access to external services.
Product: Jenkins OpenID Connect Provider Plugin
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47884
NVD References: https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3574
CVE-2025-47889 - Jenkins WSO2 OAuth Plugin 1.0 and earlier allows unauthenticated attackers to log in using any username and password due to lack of authentication claim validation.
Product: Jenkins WSO2 OAuth Plugin
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47889
NVD References: https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3481
CVE-2025-32002 - I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier allows remote unauthenticated attackers to execute arbitrary OS commands via the 'Remote Link3 function'.
Product: I-O DATA HDL-T Series
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32002
NVD References:
CVE-2025-46052 - WebERP v4.15.2 is vulnerable to an error-based SQL Injection (SQLi) attack through the DEL form field in /StockCounts.php, enabling attackers to execute arbitrary SQL commands and extract sensitive data.
Product: WebERP v4.15.2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46052
NVD References:
- https://github.com/johnchd/CVEs/blob/main/WebERP/CVE-2025-46052%20-%20SQLi.md
- https://github.com/johnchd/CVEs/blob/main/WebERP/CVE-2025-46052%20-%20SQLi.md
CVE-2025-47928 - Spotipy, a Python library for the Spotify Web API, is vulnerable to exploitation through the use of `pull_request_target` in `.github/workflows/integration_tests.yml`, allowing attackers to exfiltrate sensitive secrets like `GITHUB_TOKEN` and `SPOTIPY_CLIENT_ID`, potentially leading to a complete takeover of the affected repository.
Product: Spotipy Spotify Web API
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47928
NVD References:
- https://github.com/spotipy-dev/spotipy/commit/4f5759dbfb4506c7b6280572a4db1aabc1ac778d
- https://github.com/spotipy-dev/spotipy/commit/9dfb7177b8d7bb98a5a6014f8e6436812a47576f
- https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-h25v-8c87-rvm8
CVE-2025-47275 - Auth0-PHP SDK prior to v8.14.0 allows for brute forcing of authentication tags in session cookies, potentially leading to unauthorized access.
Product: Auth0-PHP
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47275
NVD References:
- https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25
- https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3
- https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch
- https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q
CVE-2025-47916 - Invision Community 5.0.0 before 5.0.7 is vulnerable to remote code execution due to unauthenticated users being able to exploit the themeeditor controller in themeeditor.php.
Product: Invision Community 5.0.0
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47916
NVD References:
- https://invisioncommunity.com/release-notes-v5/507-r41/
CVE-2025-40906 - BSON::XS versions 0.8.4 and earlier bundled with libbson 1.1.7 for Perl have multiple vulnerabilities and are no longer supported as of August 13, 2020.
Product: BSON::XS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40906
NVD References:
- https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html
- https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890
CVE-2025-48187 - RAGFlow through 0.18.1 is vulnerable to account takeover due to lack of rate limiting on six-digit email verification codes, allowing successful brute-force attacks for arbitrary account actions.
Product: RAG RAGFlow
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48187
NVD References:
CVE-2025-47945 - Donetick, an open-source task and chore management app, has a vulnerability in versions prior to 0.1.44 where the weak default signing secret for JSON Web Tokens can lead to full account takeover for any user.
Product: Donetick open-source app
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47945
NVD References:
- https://github.com/donetick/donetick/commit/620b897bc0135f6668bb8a5562678104531108eb
- https://github.com/donetick/donetick/commit/b9a6e177eefdc605dedbc5320f0d93d6573d1db6
- https://github.com/donetick/donetick/security/advisories/GHSA-hjjg-vw4j-986x
CVE-2025-4978 - Netgear DGND3700 1.1.00.15_1.00.15NA has a very critical vulnerability in Basic Authentication leading to improper authentication, allowing for remote attacks after disclosure to the public.
Product: Netgear DGND3700
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4978
NVD References:
- https://github.com/at0de/my_vulns/blob/main/Netgear/DGND3700v2/backdoor.md
CVE-2025-48017 - Improper limitation of pathname in Circuit Provisioning and File Import applications allows modification and uploading of files
Product: Not enough information provided to determine the vendor and product name.
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48017
NVD References: https://selinc.com/products/software/latest-software-versions/
CVE-2025-46724 - Langroid's TableChatAgent prior to version 0.53.15 is vulnerable to code injection when using `pandas eval()` with untrusted user input, but has since added input sanitization and warnings in the documentation to address this issue.
Product: Langroid TableChatAgent
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46724
NVD References:
- https://github.com/langroid/langroid/commit/0d9e4a7bb3ae2eef8d38f2e970ff916599a2b2a6
- https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj
CVE-2025-47277 - vLLM is vulnerable in versions 0.6.5 through 0.8.4 in environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine, affecting only those configurations.
Product: vLLM PyNcclPipe
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47277
NVD References:
- https://docs.vllm.ai/en/latest/deployment/security.html
- https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv
CVE-2025-47934 - OpenPGP.js is vulnerable to a flaw where a maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid signature verification result while returning data that was not actually signed.
Product: OpenPGP.js OpenPGP protocol
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47934
ISC Podcast: https://isc.sans.edu/podcastdetail/9460
NVD References: https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8
CVE-2025-3917 - The 百度站长SEO合集 for WordPress plugin is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code.
Product: WordPress 百度站长SEO合集
Active Installations: 1,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3917
NVD References:
- https://plugins.trac.wordpress.org/browser/baiduseo/tags/2.0.6/inc/index/youhua.php#L371
CVE-2025-4564 - The TicketBAI Facturas para WooCommerce plugin for WordPress allows unauthenticated attackers to delete arbitrary files on the server through the 'delpdf' action, leading to potential remote code execution in versions up to 3.18.
Product: TicketBAI Facturas para WooCommerce plugin
Active Installations: This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4564
NVD References:
- https://plugins.trac.wordpress.org/browser/wp-ticketbai/trunk/wp-ticketbai.php#L240
CVE-2024-6159 - The Push Notification for Post and BuddyPress WordPress plugin before version 1.9.4 is vulnerable to SQL injection via an AJAX action accessible to unauthenticated users due to improper sanitization of a parameter used in a SQL statement.
Product: WordPress Push Notification for Post and BuddyPress Plugin
Active Installations: 200+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6159
NVD References: https://wpscan.com/vulnerability/de20ebda-b0bc-489e-a8d3-e9487a2b48e8/
CVE-2024-6584 - The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.
Product: WordPress Boost plugin
Active Installations: 300,000+
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6584
NVD References: https://wpscan.com/vulnerability/eaa57c8c-1cac-4903-9763-79f7f84469fa/
CVE-2025-32643 - WPGYM is vulnerable to Blind SQL Injection through improper neutralization of special elements in SQL commands affecting versions from n/a through 65.0.
Product: mojoomla WPGYM
Active Installations: Unknown
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32643
NVD References: https://patchstack.com/database/wordpress/plugin/gym-management/vulnerability/wordpress-wpgym-plugin-65-0-sql-injection-vulnerability?_s_id=cve
CVE-2025-39406 - WPAMS is vulnerable to PHP Local File Inclusion in versions n/a through 44.0.
Product: mojoomla WPAMS
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-39395 - WPAMS is vulnerable to SQL Injection from version n/a through 44.0 (17-08-2023).
Product: mojoomla WPAMS
Active Installations: Unknown
CVSS Score: 9.3
CVE-2025-39401 & CVE-2025-39402 - WPAMS allows for unrestricted upload of files with dangerous types, posing a risk of uploading a web shell to a web server.
Product: mojoomla WPAMS
Active Installations: Unknown
CVSS Scores: 9.9 - 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39401
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39402
NVD References:
CVE-2025-39380 - Mojoomla Hospital Management System allows attackers to upload a web shell to a web server due to unrestricted upload of file with dangerous type vulnerability.
Product: Mojoomla Hospital Management System
Active Installations: Unknown
CVSS Score: 10.0
CVE-2025-39386 - Mojoomla Hospital Management System is vulnerable to SQL Injection from versions n/a through 47.0(20-11-2023).
Product: Mojoomla Hospital Management System
Active Installations: Unknown
CVSS Score: 9.3
CVE-2025-39481 - Eventer software from n/a through version 3.9.6 is vulnerable to Blind SQL Injection due to improper neutralization of special elements in SQL commands.
Product: imithemes Eventer
Active Installations: Unknown
CVSS Score: 9.3
CVE-2025-4389 - The Crawlomatic Multipage Scraper Post Generator plugin for WordPress allows unauthenticated attackers to upload arbitrary files and potentially execute remote code.
Product: Crawlomatic Multipage Scraper Post Generator plugin for WordPress
Active Installations: Unknown. Update to version 2.6.8.2, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4389
NVD References:
CVE-2025-4391 - The Echo RSS Feed Post Generator plugin for WordPress allows unauthenticated attackers to upload arbitrary files via the echo_generate_featured_image() function, potentially leading to remote code execution.
Product: Echo RSS Feed Post Generator plugin for WordPress
Active Installations: Unbeknown. Update to version 5.4.8.2, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4391
NVD References:
- https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974
CVE-2025-26872 - Eximius allows unrestricted upload of dangerous files, enabling malicious users to exploit this vulnerability from versions n/a through 2.2.
Product: dkszone Eximius
Active Installations: Unknown
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26872
NVD References: https://patchstack.com/database/wordpress/theme/eximius/vulnerability/wordpress-eximius-theme-2-2-arbitrary-file-upload-vulnerability?_s_id=cve
CVE-2025-26892 - dkszone Celestial Aura allows malicious files to be uploaded due to unrestricted file uploading vulnerability from n/a through 2.2.
Product: dkszone Celestial Aura
Active Installations: Unknown
CVSS Score: 9.9
CVE-2025-47582 - WPBot Pro Wordpress Chatbot allows Object Injection via Deserialization of Untrusted Data vulnerability, affecting versions from n/a through 12.7.0.
Product: QuantumCloud WPBot Pro WordPress Chatbot
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-39410 - Smart Sections Theme Builder - WPBakery Page Builder Addon is vulnerable to deserialization of untrusted data from n/a through 1.7.8.
Product: themegusta Smart Sections Theme Builder - WPBakery Page Builder Addon
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-39445 - Super Store Finder version from n/a through 7.2 is vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands.
Product: highwarden Super Store Finder
Active Installations: Unknown
CVSS Score: 9.3
CVE-2025-47577 - TI WooCommerce Wishlist allows unrestricted uploading of dangerous files, potentially enabling cybercriminals to upload web shells onto web servers.
Product: TemplateInvaders TI WooCommerce Wishlist
Active Installations: 100,000+
CVSS Score: 10.0
CVE-2025-47581 - Elbisnero WordPress Events Calendar Registration & Tickets is vulnerable to deserialization of untrusted data, allowing object injection from versions n/a through 2.6.0.
Product: Elbisnero WordPress Events Calendar Registration & Tickets
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-32926 - Grand Restaurant WordPress allows Path Traversal due to Improper Limitation of a Pathname to a Restricted Directory vulnerability.
Product: ThemeGoods Grand Restaurant WordPress
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-39348 - Grand Restaurant WordPress is vulnerable to Object Injection due to untrusted data deserialization in versions from n/a through 7.0.
Product: ThemeGoods Grand Restaurant WordPress
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-32927 - Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery allows Object Injection.This issue affects FoodBakery: from n/a through 3.3.
Product: Chimpstudio FoodBakery
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-32928 - Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.This issue affects Altair: from n/a through 5.2.2.
Product: ThemeGoods Altair
Active Installations: Unknown
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32928
NVD References: https://patchstack.com/database/wordpress/theme/altair/vulnerability/wordpress-altair-theme-5-2-2-php-object-injection-vulnerability?_s_id=cve
CVE-2025-39349 - Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.This issue affects CiyaShop: from n/a through 4.18.0.
Product: Potenzaglobalsolutions CiyaShop
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-39354 - Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.This issue affects Grand Conference: from n/a through 5.2.
Product: ThemeGoods Grand Conference
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-39356 - Foodbakery Sticky Cart is vulnerable to Deserialization of Untrusted Data allowing Object Injection from versions n/a through 3.2.
Product: Chimpstudio Foodbakery Sticky Cart
Active Installations: Unknown
CVSS Score: 9.8
CVE-2025-39389 - Solid Plugins AnalyticsWP is vulnerable to SQL Injection through version 2.1.2.
Product: Solid Plugins AnalyticsWP
Active Installations: unknown
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39389
NVD References: https://patchstack.com/database/wordpress/plugin/analyticswp/vulnerability/wordpress-analyticswp-2-1-2-sql-injection-vulnerability?_s_id=cve
CVE-2025-48340 - User Profile Meta Manager is vulnerable to Cross-Site Request Forgery (CSRF) allowing Privilege Escalation from n/a through 1.02.
Product: Danny Vink User Profile Meta Manager
Active Installations: This plugin has been closed as of April 24, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
CVE-2025-4322 - The Motors theme for WordPress is vulnerable to privilege escalation through account takeover, allowing unauthenticated attackers to change user passwords and gain administrative access.
Product: WordPress Motors theme
Active Installations: Unknown. Update to version 5.6.68, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4322
NVD References:
- http://themeforest.net/item/motors-car-dealership-wordpress-theme/13987211
The following vulnerability needs a manual review:
CVE-2025-4609 - Chromium/Google Chrome is vulnerable to an incorrect handle provided in unspecified circumstances in Mojo.
Product: Chromium/Google Chrome
CVSS Score: N/A
NVD: N/A
NVD References:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-4609
- https://www.securityweek.com/chrome-136-update-patches-vulnerability-with-exploit-in-the-wild/
- https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-4609
Sponsors
Wiz
Getting Started with DevSecOps | Align your security and development teams to improve code security with this new playbook. Embedding security into your DevOps and development processes isn’t just a nice-to-have anymore—it's essential for building secure applications and infrastructure for the cloud. Get the playbook
ARMO
Webcast | The Future of Cloud Security Starts with Runtime | May 29, 1:00 ET Modern cloud attacks are fast, stealthy, and constantly evolving—can your security strategy keep up? Join us for an eye-opening session that explores why traditional security tools are falling short and how runtime visibility is becoming a critical pillar of modern cloud defense. Save your seat today:
Dropzone AI
Webcast | SANS First Look: Leveraging Dropzone AI to Handle Tier 1 Alert Triage | June 18, 1:00 ET SANS Instructor Mark Jeanmougin will examine how Dropzone AI can integrate into existing security stacks, support analyst development, and help SOC teams stay focused on high-impact decisions. We’ll explore how Dropzone AI functions as a virtual Tier 1 analyst, helping your team automate alert triage, cut through the noise, and escalate only what truly matters.
Knostic
Webcast | Rethinking Oversharing Risk and Knowledge Segmentation in the Age of AI, June 3 at noon ET Join this webcast to explore how Knostic is redefining access and identity management for the AI era with a knowledge-centric approach that emphasizes not just who has access, but who needs access. Discover how their innovative methodology—grounded in need-to-know principles, role-based knowledge segmentation, and intent-aware access policies—creates an intelligent, scalable framework for controlling AI-generated knowledge sharing. Save your seat today: