Volume 25 – Number 23

Internet Storm Center Spotlight

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Be Careful With Fake Zoom Client Downloads

Published: 2025-06-05

Last Updated: 2025-06-05 06:36:36 UTC

by Xavier Mertens (Version: 1)

Collaborative tools are really popular these days. Since the COVID-19 pandemic, many people switched to remote work positions and we need to collaborate with our colleagues or customers every day. Tools like Microsoft Teams, Zoom, WebEx, (name your best solution), ... became popular and must be regularly updated.Yesterday, I received an interesting email with a fake Zoom meeting invitation ...

When you click on join, you'll visite a website. The HTML page is not malicious but it asks you to install the latest Zoom client ...

If you click on the download button, you'll get a nice "gift" ...

Read the full entry: https://isc.sans.edu/diary/Be+Careful+With+Fake+Zoom+Client+Downloads/32014/

Microsoft Patch Tuesday June 2025

Published: 2025-06-10

Last Updated: 2025-06-10 17:50:23 UTC

by Johannes Ullrich (Version: 1)

Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today.

Notable Vulnerabilities:

CVE-2025-33053: WebDAV remote code execution vulnerability. This vulnerability has already been exploited. Microsoft rates it as important. This affects the client part of WebDAV, not the server part. User interaction is required. If an attacker can control the file name and path, they can trick the victim into executing code over the network. This is another issue related to the still supported remnants of Internet Explorer, like the Scripting Engine and MSHTML. You must apply the IE Cumulative Update to patch, even if you no longer use IE.

- https://nvd.nist.gov/vuln/detail/CVE-2025-33053

CVE-2025-33073: A Windows SMB client elevation of Privilege Vulnerability. This vulnerability has already been disclosed but Microsoft has not yet observed it being exploited. An attacker exploiting this vulnerability will gain SYSTEM privileges. But Microsoft considers successful exploitation less likely. An attacker would need the victim to connect to a malicious SMB server.

- https://nvd.nist.gov/vuln/detail/CVE-2025-33073

CVE-2025-32710: An unauthenticated remote code execution vulnerability in the remote desktop service. But it requires the exploitation of a race condition. Microsoft believes it is less likely that an exploit will become available.

- https://nvd.nist.gov/vuln/detail/CVE-2025-32710

CVE-2025-29828: Microsoft states that this vulnerability is due to a "missing release of memory after effective lifetime in Windows Cryptographic Services allows an unauthorized attacker to execute code over a network". This vulnerability worries me a bit if this could be used to exploit various TLS services. However, not enough is known to gauge the exploitability. Microsoft considers the attack as "highly complex" and exploitation as less likely.

- https://nvd.nist.gov/vuln/detail/CVE-2025-29828

Microsoft Office Remote Code Execution Vulnerability: Four of the critical vulnerabilities apply to Microsoft Office. These are rated critical as they may be exploited via the preview pane, without actually opening the malicious document ...

Read the full entry: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+June+2025/32032/

Quasar RAT Delivered Through Bat Files

Published: 2025-06-11

Last Updated: 2025-06-11 05:53:08 UTC

by Xavier Mertens (Version: 1)

RAT's are popular malware. They are many of them in the wild, Quasar being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated. This file is a second stage that is downloaded and launched from a simple script ...

Read the full entry: https://isc.sans.edu/diary/Quasar+RAT+Delivered+Through+Bat+Files/32036/

Internet Storm Center Entries

OctoSQL & Vulnerability Data (2026.06.08)

https://isc.sans.edu/diary/OctoSQL+Vulnerability+Data/32026/

Extracting With pngdump.py (2025.06.08)

https://isc.sans.edu/diary/Extracting+With+pngdumppy/32022/

Wireshark 4.4.7 Released (2025.06.08)

https://isc.sans.edu/diary/Wireshark+447+Released/32020/

Upcoming DShield Honeypot Changes and Customizations (2025.06.06)

https://isc.sans.edu/diary/Upcoming+DShield+Honeypot+Changes+and+Customizations/32016/

Recent CVEs

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-21479 & CVE-2025-21480 - Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.

Product: Qualcomm AQT1000

CVSS Score: 8.6

** KEV since 2025-06-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21479

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21480

ISC Diary: https://isc.sans.edu/diary/32026

NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

CVE-2025-27038 - Memory corruption while rendering graphics using Adreno GPU drivers in Chrome.

Product: Qualcomm AR8031

CVSS Score: 7.5

** KEV since 2025-06-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27038

ISC Diary: https://isc.sans.edu/diary/32026

NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

CVE-2025-33053 - External control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network.

Product: WebDAV Microsoft

CVSS Score: 8.8

** KEV since 2025-06-10 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-33053

ISC Diary: https://isc.sans.edu/diary/32032

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053

CVE-2025-5419 - Google Chrome prior to 137.0.7151.68 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Product: Google Chrome

CVSS Score: 8.8

** KEV since 2025-06-05 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5419

NVD References:

- https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html

- https://issues.chromium.org/issues/420636529

CVE-2025-47966 - Power Automate is vulnerable to unauthorized actors accessing sensitive information and elevating privileges over a network.

Product: Microsoft Power Automate

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47966

ISC Diary: https://isc.sans.edu/diary/32032

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47966

CVE-2025-48827 - vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 on PHP 8.1 or later allow unauthenticated users to access protected API controllers' methods via /api.php?method=protectedMethod.

Product: vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48827

ISC Podcast: https://isc.sans.edu/podcastdetail/9478

CVE-2025-48828 - vBulletin versions are vulnerable to arbitrary PHP code execution through Template Conditionals abuse, allowing attackers to bypass security checks and execute code in an alternative function syntax.

Product: Certain vBulletin versions

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48828

ISC Podcast: https://isc.sans.edu/podcastdetail/9478

CVE-2025-4517 - The tarfile module in Python versions 3.12 or later allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data".

Product: Python Software Foundation

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4517

NVD References:

- https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f

- https://github.com/python/cpython/issues/135034

- https://github.com/python/cpython/pull/135037

- https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/

CVE-2025-25022 - IBM QRadar Suite Software version 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security version 1.10.0.0 through 1.10.11.0 may expose highly sensitive information to unauthenticated users through configuration files.

Product: IBM QRadar Suite Software

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25022

NVD References: https://www.ibm.com/support/pages/node/7235432

CVE-2025-44148 - MailEnable before version 10 is vulnerable to Cross Site Scripting (XSS) attacks, enabling remote attackers to execute arbitrary code through the failure.aspx component.

Product: MailEnable

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-44148

NVD References: http://mailenable.com

CVE-2025-45854 - JEHC-BPM v2.0.1 is vulnerable to arbitrary code execution through file uploads in /server/executeExec.

Product: JEHC-BPM

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45854

CVE-2025-32105 - The Sangoma IMG2020 HTTP server through 2.3.9.6 is vulnerable to a buffer overflow, allowing remote code execution for unauthenticated users.

Product: Sangoma IMG2020

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32105

NVD References: https://github.com/austin2111/papers/blob/main/Software_Vulnerabilities_in_Telecommunications_Hardware.pdf

CVE-2025-32106 - Audiocodes Mediapack MP-11x through 6.60A.369.002 allows for unauthenticated remote code execution via a crafted POST request.

Product: Audiocodes MP-112

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32106

NVD References:

- https://Audiocodes.com

- https://github.com/austin2111/papers/blob/main/Software_Vulnerabilities_in_Telecommunications_Hardware.pdf

CVE-2025-23097 - An issue was discovered in Samsung Mobile Processor Exynos 1380. The lack of a length check leads to out-of-bounds writes.

Product: Samsung Exynos 1380

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23097

NVD References:

- https://semiconductor.samsung.com/support/quality-support/product-security-updates/

- https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23097/

CVE-2025-49001 - DataEase prior to v2.10.10 allows a user to forge a JWT token by bypassing secret verification.

Product: DataEase

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49001

NVD References: https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r

CVE-2025-49002 - DataEase has a vulnerability in versions prior to v2.10.10 allowing bypass of CVE-2025-32966 patch through case insensitivity, fixed in v2.10.10 with no known workarounds.

Product: DataEase

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49002

NVD References:

- https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34

- https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7

CVE-2025-49223 - Billboard.js before 3.15.1 is vulnerable to prototype pollution via the function generate, allowing for potential arbitrary code execution or Denial of Service attacks.

Product: Naver Billboard.Js

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49223

NVD References: https://cve.naver.com/detail/cve-2025-49223.html

CVE-2025-20286 - Cisco Identity Services Engine (ISE) in cloud deployments of AWS, Microsoft Azure, and Oracle Cloud Infrastructure could allow unauthorized access to sensitive data and system configurations.

Product: Cisco Identity Services Engine (ISE)

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20286

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7

CVE-2025-5600 - TOTOLINK EX1200T 4.1.2cu.5232_B20210713 is vulnerable to a critical stack-based buffer overflow in the setLanguageCfg function of the file /cgi-bin/cstecgi.cgi, allowing remote attackers to initiate an attack by manipulating the LangType argument due to disclosure of the exploit to the public.

Product: TOTOLINK EX1200T

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5600

NVD References:

- https://kn0sinna.notion.site/TOTOLINK-EX1200T-stack-based-BufferOverflow-vulnerability-204b1876cd6e80709ce8dab4778dce55

- https://www.totolink.net/

CVE-2025-5622, CVE-2025-5623, CVE-2025-5624, CVE-2025-5630 - D-Link DIR-816 1.10CNB05 critical stack-based buffer overflow vulnerabilities.

Product: D-Link DIR-816

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5622

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5623

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5624

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5630

NVD References:

- https://www.dlink.com/

- https://github.com/wudipjq/my_vuln/blob/main/D-Link5/vuln_50/50.md

- https://github.com/wudipjq/my_vuln/blob/main/D-Link5/vuln_51/51.md

- https://github.com/wudipjq/my_vuln/blob/main/D-Link5/vuln_53/53.md

- https://github.com/wudipjq/my_vuln/blob/main/D-Link5/vuln_54/54.md

CVE-2025-3365 - A missing protection against path traversal allows to access

any file on the server.

Product: Nozomi Networks Guardian

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3365

NVD References: https://www.bbraun.com/productsecurity

CVE-2025-27531 - Apache InLong is vulnerable to deserialization of untrusted data which allows an attacker to read arbitrary files by double writing the param.

Product: Apache InLong

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27531

NVD References: https://lists.apache.org/thread/r62lkqrr739wvcb60j6ql6q63rh4bxx5

NVD References: http://www.openwall.com/lists/oss-security/2025/02/28/2

CVE-2025-41646 - The Kunbus RevPi Webstatus application is vulnerable to an unauthorized remote attacker bypassing authentication through incorrect type conversion, resulting in full device compromise.

Product: Kunbus RevPi Status

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41646

NVD References: https://www.kunbus.com/en/productsecurity/Kunbus-2025-0000003

CVE-2025-3461 -The Quantenna Wi-Fi chips ship with an unauthenticated telnet interface by default, posing a high security risk due to missing authentication for critical functions.

Product: Quantenna Wi-Fi chipset

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3461

NVD References:

- https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices

- https://takeonme.org/cves/cve-2025-3461/

CVE-2025-5893 - Smart Parking Management System from Honding Technology is vulnerable to unauthorized remote access and plaintext administrator credential theft due to an Exposure of Sensitive Information flaw.

Product: Honding Technology Smart Parking Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5893

NVD References:

- https://www.twcert.org.tw/en/cp-139-10169-651d6-2.html

- https://www.twcert.org.tw/tw/cp-132-10167-39c6d-1.html

CVE-2025-3835 - Zohocorp ManageEngineÊExchange Reporter Plus versionsÊ5721 and prior are vulnerable to Remote code execution in theÊContent Search module.

Product: Zohocorp ManageEngine Exchange Reporter Plus

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3835

NVD References: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-3835.html

CVE-2025-49013 - WilderForge is vulnerable to code injection via unsafe usage of user-controlled variables in GitHub Actions workflows, potentially leading to arbitrary command execution and compromise of CI infrastructure and secrets.

Product: WilderForge

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49013

NVD References:

- https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection

- https://github.com/WilderForge/WilderForge/security/advisories/GHSA-m6r3-c73x-8fw5

- https://securitylab.github.com/research/github-actions-untrusted-input

CVE-2025-49136 - Listmonk version 4.0.0 to 5.0.1 allows non-super-admin users to capture sensitive environment variables using the `env` and `expandenv` template functions, which can be mitigated by upgrading to version 5.0.2.

Product: Listmonk

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49136

NVD References: https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h

CVE-2025-49652 - Lablup's BackendAI lacks proper authentication in its registration feature, allowing unauthorized users to create accounts with access to sensitive data.

Product: Lablup BackendAI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49652

NVD References: https://hiddenlayer.com/sai_security_advisor/2025-05-backendai-49653/

CVE-2025-30184 - CyberDataÊ011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.

Product: CyberData 011209 Intercom

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30184

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-155-01

CVE-2025-30515 - CyberDataÊ011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.

Product: CyberData 011209 Intercom

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30515

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-155-01

CVE-2025-42989 - RFC inbound processing lacks necessary authorization checks, allowing authenticated user privilege escalation and critical impact on application integrity and availability.

Product: SAP NetWeaver Application Server for ABAP

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42989

NVD References:

- https://me.sap.com/notes/3600840

- https://url.sap/sapsecuritypatchday

CVE-2025-1041 - Avaya Call Management System is vulnerable to unauthorized remote command execution through specially crafted web requests in affected versions 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0.

Product: Avaya Call Management System

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1041

NVD References: https://support.avaya.com/css/public/documents/101093084

CVE-2025-49455 - Deserialization of Untrusted Data vulnerability in LoftOcean TinySalt allows Object Injection.This issue affects TinySalt: from n/a before 3.10.0.

Product: LoftOcean TinySalt

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49455

NVD References: https://patchstack.com/database/wordpress/theme/tinysalt/vulnerability/wordpress-tinysalt-3-10-0-php-object-injection-vulnerability?_s_id=cve

CVE-2025-49507 - Deserialization of Untrusted Data vulnerability in LoftOcean CozyStay allows Object Injection.This issue affects CozyStay: from n/a before 1.7.1.

Product: LoftOcean CozyStay

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49507

NVD References: https://patchstack.com/database/wordpress/theme/cozystay/vulnerability/wordpress-cozystay-1-7-1-php-object-injection-vulnerability?_s_id=cve

CVE-2024-34711 - GeoServer's improper URI validation vulnerability allows unauthorized attackers to perform XEE attacks and send GET requests to any HTTP server, potentially leading to the scanning of internal networks and further exploitation.

Product: GeoServer

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34711

NVD References:

- https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities

- https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965

CVE-2025-30220 - GeoServer is vulnerable to XML External Entity (XXE) exploit due to the GeoTools Schema class using Eclipse XSD library improperly, impacting users who expose XML processing with gt-xsd-core involved in parsing documents with external XML schema references.

Product: Open Source Geospatial Foundation GeoServer

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30220

NVD References:

- https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities

- https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc

- https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw

CVE-2025-40585 - Energy Services (All versions with G5DFR) have default credentials, allowing attackers to take control of the G5DFR component and tamper with device outputs.

Product: Energy Services G5DFR

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40585

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-345750.html

CVE-2025-47110 - Adobe Commerce versions 2.4.8 and earlier are vulnerable to stored Cross-Site Scripting (XSS) attacks, allowing high privileged attackers to inject malicious scripts into form fields and execute them in victims' browsers.

Product: Adobe Commerce

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47110

NVD References: https://helpx.adobe.com/security/products/magento/apsb25-50.html

CVE-2024-57190 - Erxes <1.6.1 is vulnerable to Incorrect Access Control, allowing attackers to bypass authentication with a forged "User" HTTP header.

Product: Erxes

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57190

NVD References:

- https://github.com/erxes/erxes/commit/4ed2ca797241d2ba0c9083feeadd9755c1310ce8

- https://www.sonarsource.com/blog/micro-services-major-headaches-detecting-vulnerabilities-in-erxes-microservices/

CVE-2025-29828 - Windows Cryptographic Services allows an unauthorized attacker to execute code over a network due to missing release of memory after effective lifetime.

Product: Microsoft Windows Cryptographic Services

CVSS Score: 8.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29828

ISC Diary: https://isc.sans.edu/diary/32032

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29828

CVE-2025-32710 - Use after free in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network.

Product: Microsoft Windows Remote Desktop Services

CVSS Score: 8.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32710

ISC Diary: https://isc.sans.edu/diary/32032

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32710

CVE-2025-33073 - Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.

Product: Microsoft Windows SMB

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-33073

ISC Diary: https://isc.sans.edu/diary/32032

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073

CVE-2025-2474 - QNX SDP versions 8.0, 7.1, and 7.0 are vulnerable to an out-of-bounds write in the PCX image codec, which could result in a denial-of-service or code execution by an unauthenticated attacker.

Product: QNX SDP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2474

NVD References: https://support.blackberry.com/pkb/s/article/140646

CVE-2025-3052 - Microsoft signed UEFI firmware is vulnerable to arbitrary write attacks, putting the system at risk of full compromise and security bypasses.

Product: Microsoft UEFI firmware

CVSS Score: 8.2

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3052

ISC Diary: https://isc.sans.edu/diary/32032

NVD References:

- https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html

- https://www.binarly.io/advisories/brly-dva-2025-001

- https://www.kb.cert.org/vuls/id/806555

CVE-2025-4797 - The Golo - City Travel Guide WordPress Theme is vulnerable to privilege escalation via account takeover in all versions up to 1.7.0 due to improper user identity validation, allowing unauthenticated attackers to log in as any user.

Product: Golo City Travel Guide WordPress Theme

Active Installations: Unknown. Update to version 1.7.1, or a newer patched version

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4797

NVD References:

- https://themeforest.net/item/golo-directory-listing-travel-wordpress-theme/25397810

- https://www.wordfence.com/threat-intel/vulnerabilities/id/e7b56ec1-8735-4404-8069-219f5d8866d0?source=cve

CVE-2025-4578 - The File Provider WordPress plugin is vulnerable to SQL injection due to an unsanitized parameter in an AJAX action accessible to unauthenticated users.

Product: Dimdavid File_Provider

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4578

NVD References: https://wpscan.com/vulnerability/3aa76b96-40b7-4bde-a39c-c1aa6f8278fc/

CVE-2025-5701 - The HyperComments plugin for WordPress allows unauthenticated attackers to escalate privileges and gain administrative user access by exploiting a missing capability check in versions up to 1.2.2.

Product: HyperComments WordPress plugin

Active Installations: This plugin has been closed as of November 28, 2019 and is not available for download. Reason: Security Issue.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5701

NVD References:

- https://plugins.trac.wordpress.org/browser/hypercomments/trunk/hypercomments.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/07fd6bee-5b00-4fc1-9f7a-3857fd35c763?source=cve

CVE-2025-5486 - The WP Email Debug plugin for WordPress is vulnerable to privilege escalation through unauthenticated attackers gaining administrator access via the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0.

Product: WordPress WP Email Debug plugin

Active Installations: This plugin has been closed as of June 3, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5486

NVD References:

- https://plugins.trac.wordpress.org/browser/wp-email-debug/trunk/hooks.php#L71

- https://www.wordfence.com/threat-intel/vulnerabilities/id/d3af64a2-3bd6-47af-919e-00c5249dcc74?source=cve

CVE-2025-47586 - Motors - Events is vulnerable to PHP Remote File Inclusion from version n/a through 1.4.7.

Product: StylemixThemes Motors - Events

Active Installations: Unknown.

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47586

NVD References: https://patchstack.com/database/wordpress/plugin/stm-motors-events/vulnerability/wordpress-motors-events-plugin-1-4-7-unauthenticated-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-49072 - Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy allows Object Injection.This issue affects Mr. Murphy: from n/a before 1.2.12.1.

Product: AncoraThemes Mr. Murphy

Active Installations: Unknown. Update to version 1.2.12.1 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49072

NVD References: https://patchstack.com/database/wordpress/theme/mr-murphy/vulnerability/wordpress-mr-murphy-1-2-12-1-php-object-injection-vulnerability?_s_id=cve

CVE-2025-49073 - Deserialization of Untrusted Data vulnerability in Axiomthemes Sweet Dessert allows Object Injection.This issue affects Sweet Dessert: from n/a before 1.1.13.

Product: Axiomthemes Sweet Dessert

Active Installations: Unknown. Update to version 1.1.13 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49073

NVD References: https://patchstack.com/database/wordpress/theme/sweet-dessert/vulnerability/wordpress-sweet-dessert-1-1-13-php-object-injection-vulnerability?_s_id=cve

CVE-2025-24767 - TicketBAI Facturas para WooCommerce is vulnerable to Blind SQL Injection from n/a through version 3.19.

Product: facturaone TicketBAI Facturas para WooCommerce

Active Installations: Unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24767

NVD References: https://patchstack.com/database/wordpress/plugin/wp-ticketbai/vulnerability/wordpress-ticketbai-facturas-para-woocommerce-3-19-sql-injection-vulnerability?_s_id=cve

CVE-2025-31022 - PayU India is susceptible to Authentication Abuse through an alternate path or channel in versions n/a through 3.8.5.

Product: PayU India

Active Installations: 5,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31022

NVD References: https://patchstack.com/database/wordpress/plugin/payu-india/vulnerability/wordpress-payu-india-plugin-3-8-5-account-takeover-vulnerability?_s_id=cve

CVE-2025-31039 - Category Icon allows XML Entity Linking, exposing an Improper Restriction of XML External Entity Reference vulnerability from version n/a through 1.0.2.

Product: pixelgrade Category Icon

Active Installations: 2,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31039

NVD References: https://patchstack.com/database/wordpress/plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-2-xml-external-entity-xxe-vulnerability?_s_id=cve

CVE-2025-31052 - The Fashion - Model Agency One Page Beauty Theme is vulnerable to object injection via deserialization of untrusted data from n/a through 1.4.4.

Product: themeton The Fashion - Model Agency One Page Beauty Theme

Active Installations: Unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31052

NVD References: https://patchstack.com/database/wordpress/theme/nrgfashion/vulnerability/wordpress-the-fashion-model-agency-one-page-beauty-theme-1-4-4-deserialization-of-untrusted-data-vulnerability?_s_id=cve

CVE-2025-31396 - FLAP - Business WordPress Theme is vulnerable to a deserialization of untrusted data issue, allowing for object injection, affecting versions from n/a through 1.5.

Product: themeton FLAP - Business WordPress Theme

Active Installations: Unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31396

NVD References: https://patchstack.com/database/wordpress/theme/flap/vulnerability/wordpress-flap-business-wordpress-theme-1-5-php-object-injection-vulnerability?_s_id=cve

CVE-2025-31429 - PressGrid - Frontend Publish Reaction & Multimedia Theme from n/a through 1.3.1 allows Object Injection via Deserialization of Untrusted Data vulnerability.

Product: themeton PressGrid - Frontend Publish Reaction & Multimedia Theme

Active Installations: Unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31429

NVD References: https://patchstack.com/database/wordpress/theme/press-grid/vulnerability/wordpress-pressgrid-frontend-publish-reaction-multimedia-theme-1-3-1-deserialization-of-untrusted-data-vulnerability?_s_id=cve

CVE-2025-31059 - Woobewoo WBW Product Table PRO allows SQL Injection through improper neutralization of special elements in an SQL command, affecting versions n/a through 2.1.3.

Product: Woobewoo WBW Product Table PRO

Active Installations: 2,000+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31059

NVD References: https://patchstack.com/database/wordpress/plugin/woo-producttables-pro/vulnerability/wordpress-wbw-product-table-pro-2-1-3-sql-injection-vulnerability?_s_id=cve

CVE-2025-31424 - WP Lead Capturing Pages is vulnerable to Blind SQL Injection from versions n/a through 2.3.

Product: kamleshyadav WP Lead Capturing Pages

Active Installations: Unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31424

NVD References: https://patchstack.com/database/wordpress/plugin/leadcapture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-3-sql-injection-vulnerability?_s_id=cve

CVE-2025-32291 - SUMO Affiliates Pro in FantasticPlugins allows attackers to upload malicious files due to an unrestricted file upload vulnerability.

Product: FantasticPlugins SUMO Affiliates Pro

Active Installations: Unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32291

NVD References: https://patchstack.com/database/wordpress/plugin/affs/vulnerability/wordpress-sumo-affiliates-pro-10-7-0-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2025-47608 - Recover abandoned cart for WooCommerce is vulnerable to SQL Injection from n/a through 2.5.

Product: sonalsinha21 Recover abandoned cart for WooCommerce

Active Installations: 100+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47608

NVD References: https://patchstack.com/database/wordpress/plugin/recover-wc-abandoned-cart/vulnerability/wordpress-recover-abandoned-cart-for-woocommerce-2-5-sql-injection-vulnerability?_s_id=cve

CVE-2025-48122 - Spreadsheet Price Changer for WooCommerce and WP E-commerce Ð Light is vulnerable to SQL Injection from n/a through 2.4.37.

Product: Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce Ð Light

Active Installations: 600+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48122

NVD References: https://patchstack.com/database/wordpress/plugin/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/vulnerability/wordpress-spreadsheet-price-changer-for-woocommerce-and-wp-e-commerce-light-2-4-37-sql-injection-vulnerability?_s_id=cve

CVE-2025-48123 - Spreadsheet Price Changer for WooCommerce and WP E-commerce Ð Light allows code injection, affecting versions from n/a through 2.4.37.

Product: Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light

Active Installations: 600+

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48123

CVE-2025-48129 - Spreadsheet Price Changer for WooCommerce and WP E-commerce Ð Light versions n/a through 2.4.37 allow for Privilege Escalation due to Incorrect Privilege Assignment vulnerability.

Product: Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light

Active Installations: 600+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48129

CVE-2025-48140 - MetalpriceAPI is vulnerable to Code Injection from version n/a through 1.1.4.

Product: MetalpriceAPI

Active Installations: 400+. Update to version 1.1.5 or later.

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48140

NVD References: https://patchstack.com/database/wordpress/plugin/metalpriceapi/vulnerability/wordpress-metalpriceapi-1-1-4-remote-code-execution-rce-vulnerability?_s_id=cve

CVE-2025-48141 - Alex Zaytseff Multi CryptoCurrency Payments is susceptible to SQL Injection through improper neutralization of special elements in SQL commands, affecting versions from n/a through 2.0.3.

Product: Alex Zaytseff Multi CryptoCurrency Payments

Active Installations: 400+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48141

NVD References: https://patchstack.com/database/wordpress/plugin/multi-crypto-currency-payment/vulnerability/wordpress-multi-cryptocurrency-payments-2-0-3-sql-injection-vulnerability?_s_id=cve

CVE-2025-48281 - MyStyle Custom Product Designer is vulnerable to Blind SQL Injection from n/a through 3.21.1.

Product: mystyleplatform MyStyle Custom Product Designer

Active Installations: 80+. Update to version 3.21.2 or later.

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48281

NVD References: https://patchstack.com/database/wordpress/plugin/mystyle-custom-product-designer/vulnerability/wordpress-mystyle-custom-product-designer-3-21-1-sql-injection-vulnerability?_s_id=cve

The following vulnerabilities need a manual review: