The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Analyzing Sharepoint Exploits (CVE-2025-53770, CVE-2025-53771)

Published: 2025-07-23

Last Updated: 2025-07-23 19:36:36 UTC

by Johannes Ullrich (Version: 1)

A few days after the exploit originally became widely known, there are now many different SharePoint exploit attempts in circulation. We do see some scans by researchers to identify vulnerable systems (or to scan for common artifacts of compromise), and a few variations of the "ToolPane<.>aspx" URL being hit. Even for our "random" honeypots, the number of hits has increased significantly without having to emulate SharePoint better.

But how do we make sense of the exploit payload? Turns out most of them are rather straightforward to reverse. I will use this commonly referred to payload as an example ...

You can also find a video walkthrough on YouTube ...

Read the full entry: https://isc.sans.edu/diary/Analyzing+Sharepoint+Exploits+CVE202553770+CVE202553771/32138/

Critical Sharepoint 0-Day Vulnerability Exploited CVE-2025-53770 (ToolShell)

Published: 2025-07-20

Last Updated: 2025-07-21 10:39:06 UTC

by Johannes Ullrich (Version: 1)

Microsoft announced yesterday that a newly discovered critical remote code execution vulnerability in SharePoint is being exploited. There is no patch available. As a workaround, Microsoft suggests using Microsoft Defender to detect any attacks. To use Defender, you must first configure the AMSI integration to give Defender visibility into SharePoint. Recent versions of SharePoint have the AMSI integration enabled by default.

Microsoft also states: "If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available."

Defender will just detect the post-exploit activity. Currently, webshells are observed as a payload being deployed, taking advantage of the vulnerability.

The best write-up and details I found so far come from the Eye Security research team. They initially used CVE-2025-49704 and CVE-2025-49706 to identify the vulnerability. Later, Microsoft confirmed that this is a new issue and started using CVE-2025-53770. This latest issue appears to be a variation of the older vulnerabilities patched in this month's Patch Tuesday.

The vulnerability exploits an authentication bypass issue triggered by setting the "Referer" header to "/_layouts/SignOut.aspx". This vulnerability is then exploited to trigger remote code execution via ...

In our honeypot data, we observed two instances of the "ToolPane.aspx" URL, first on July 16th (on individual hit, I am waiting to hear from the submitter to see if there are details available). Today, we received additional reports, but they originated from p55001.probes.atlas.ripe.net:9000 and are likely related to scanning for research purposes. These hits did not include the Referer header to trigger the vulnerability.

The hit on July 16th originated from 172.174.82.132. This IP address appears to be owned by Microsoft.

Microsoft Advisory: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

Eye Security Blog: https://research.eye.security/sharepoint-under-siege/

Read the full entry: https://isc.sans.edu/diary/Critical+Sharepoint+0Day+Vulnerablity+Exploited+CVE202553770+ToolShell/32122/

Hiding Payloads in Linux Extended File Attributes

Published: 2025-07-17

Last Updated: 2025-07-17 06:54:56 UTC

by Xavier Mertens (Version: 1)

This week, it's SANSFIRE! I'm attending the FOR577 training ("Linux Incident Response & Threat Hunting"). On day 2, we covered the different filesystems and how data is organized on disk. In the Linux ecosystem, most filesystems (ext3, ext4, xfs, ...) support "extended file attributes", also called "xattr". It's a file system feature that enables users to add metadata to files. These data is not directly made available to the user and may contain anything related to the file (ex: the author's name, a brief description, ...). You may roughly compare this feature to the Alternate Data Stream (ADS) available in the Windows NTFS filesystem.

How do you use it? On Ubuntu, there is a package "attr" that contains utilities for manipulating filesystem extended attributes ...

Read the full entry: https://isc.sans.edu/diary/Hiding+Payloads+in+Linux+Extended+File+Attributes/32116/

WinRAR MoTW Propagation Privacy (2025.07.22)

https://isc.sans.edu/diary/WinRAR+MoTW+Propagation+Privacy/32130/

Wireshark 4.4.8 Released (2025.07.22)

https://isc.sans.edu/diary/Wireshark+448+Released/32128/

How quickly do we patch? A quick look from the global viewpoint (2025.07.21)

https://isc.sans.edu/diary/How+quickly+do+we+patch+A+quick+look+from+the+global+viewpoint/32126/

Veeam Phishing via Wav File (2025.07.18)

https://isc.sans.edu/diary/Veeam+Phishing+via+Wav+File/32120/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-53770 - Microsoft SharePoint Server is vulnerable to code execution by unauthorized attackers through deserialization of untrusted data, with an exploit already in the wild for CVE-2025-53770.

Product: Microsoft SharePoint Server

CVSS Score: 9.8

** KEV since 2025-07-20 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53770

ISC Diary: https://isc.sans.edu/diary/32122

ISC Podcast: https://isc.sans.edu/podcastdetail/9534

NVD References:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

- https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770

CVE-2025-53771 - Microsoft Office SharePoint is susceptible to path traversal which could enable a spoofing attack over a network.

Product: Microsoft Office SharePoint

CVSS Score: 6.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53771

ISC Podcast: https://isc.sans.edu/podcastdetail/9536

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771

CVE-2025-49704 - Microsoft Office SharePoint is vulnerable to code injection, allowing attackers to execute code remotely.

Product: Microsoft Office SharePoint

CVSS Score: 0

** KEV since 2025-07-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49704

ISC Diary: https://isc.sans.edu/diary/32122

CVE-2025-49706 - Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Product: Microsoft Office SharePoint

CVSS Score: 0

** KEV since 2025-07-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49706

ISC Diary: https://isc.sans.edu/diary/32122

CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability

Product: Microsoft Exchange_Server 2019

CVSS Score: 0

** KEV since 2021-11-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-31207

ISC Diary: https://isc.sans.edu/diary/32126

CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability

Product: Microsoft Exchange_Server 2019

CVSS Score: 0

** KEV since 2021-11-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-34523

ISC Diary: https://isc.sans.edu/diary/32126

CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability

Product: Microsoft Exchange_Server 2019

CVSS Score: 0

** KEV since 2021-11-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-34473

ISC Diary: https://isc.sans.edu/diary/32126

CVE-2019-0211 - Apache HTTP Server Privilege Escalation Vulnerability

Product: Oracle Retail_Xstore_Point_Of_Service 7.1

CVSS Score: 0

** KEV since 2021-11-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-0211

ISC Diary: https://isc.sans.edu/diary/32126

CVE-2022-0028 - Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability

Product: Palo Alto Networks PAN-OS

CVSS Score: 0

** KEV since 2022-08-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-0028

ISC Diary: https://isc.sans.edu/diary/32126

CVE-2025-25257 - Fortinet FortiWeb versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and below 7.0.10 are vulnerable to improper neutralization of special elements in SQL commands, allowing unauthenticated attackers to execute unauthorized SQL code through crafted HTTP or HTTPS requests.

Product: Fortinet FortiWeb

CVSS Score: 9.8

** KEV since 2025-07-18 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25257

NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-25-151

CVE-2025-54309 - CrushFTP 10 and 11 mishandle AS2 validation, allowing remote attackers to gain admin access via HTTPS.

Product: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23

CVSS Score: 9.0

** KEV since 2025-07-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54309

NVD References:

- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025

- https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/

CVE-2023-20109 - Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability

Product: Cisco IOS XE 17.11.99sw

CVSS Score: 0

** KEV since 2023-10-10 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20109

ISC Diary: https://isc.sans.edu/diary/32126

CVE-2025-20337 - Cisco ISE and Cisco ISE-PIC are susceptible to a remote code execution vulnerability that allows an unauthenticated attacker to gain root access by manipulating user input.

Product: Cisco Identity Services Engine

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20337

ISC Podcast: https://isc.sans.edu/podcastdetail/9532

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

CVE-2025-20281 - Cisco ISE and Cisco ISE-PIC are susceptible to a remote code execution vulnerability that allows an unauthenticated attacker to gain root access by manipulating user input.

Product: Cisco Identity_Services_Engine_Passive_Identity_Connector 3.4.0

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20281

ISC Podcast: https://isc.sans.edu/podcastdetail/9532

CVE-2025-20282 - Cisco ISE and Cisco ISE-PIC are vulnerable to an unauthenticated, remote attacker being able to upload arbitrary files and execute them on the underlying operating system.

Product: Cisco Identity_Services_Engine_Passive_Identity_Connector 3.4.0

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20282

ISC Podcast: https://isc.sans.edu/podcastdetail/9532

CVE-2025-6558 - Google Chrome prior to 138.0.7204.157 is vulnerable to sandbox escape via crafted HTML pages due to insufficient validation of untrusted input in ANGLE and GPU.

Product: Google Chrome

CVSS Score: 8.8

** KEV since 2025-07-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6558

NVD References:

- https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html

- https://issues.chromium.org/issues/427162086

CVE-2019-19781 - Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability

Product: Citrix Gateway_Firmware 13.0

CVSS Score: 0

** KEV since 2021-11-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-19781

ISC Diary: https://isc.sans.edu/diary/32126

CVE-2025-5333 - Remote attackers can execute arbitrary code in the context of the vulnerable service process.

Product: Microsoft Windows Operating System

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5333

ISC Podcast: https://isc.sans.edu/podcastdetail/9528

CVE-2025-53836 - XWiki Rendering allows for execution of forbidden macros in restricted mode due to a vulnerability in versions prior to 13.10.11, 14.4.7, and 14.10, requiring comments to be disabled for untrusted users until an upgrade is completed.

Product: XWiki Rendering

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53836

NVD References: https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9

CVE-2025-53890 - Pyload is vulnerable to an unsafe JavaScript evaluation exploit that allows unauthenticated attackers to execute malicious code, leading to potential session hijacking, credential theft, and remote code execution.

Product: Pyload Download Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53890

NVD References: https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53

CVE-2025-3621 - ActADUR local server product, developed and maintained by ProTNS, is vulnerable to Remote Code Inclusion due to Command Injection, Hard-coded Credentials, Improper Authentication, and Binding to an Unrestricted IP Address.

Product: ProTNS ActADUR

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3621

NVD References: https://www.protns.com/53

CVE-2025-52376 - Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below is vulnerable to an authentication bypass in the /web/um_open_telnet.cgi endpoint, enabling attackers to remotely activate Telnet without authentication and gain administrative control with hard-coded credentials.

Product: Nexxt Solutions NCM-X1800 Mesh Router

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52376

CVE-2025-6965 - SQLite versions before 3.50.2 have a vulnerability that allows the number of aggregate terms to exceed available columns, resulting in a memory corruption issue - upgrade to 3.50.2 or above.

Product: SQLite

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6965

NVD References: https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8

CVE-2025-41236 - VMware ESXi, Workstation, and Fusion are vulnerable to an integer-overflow flaw in the VMXNET3 virtual network adapter, allowing local admins to execute code on the host.

Product: VMware ESXi

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41236

NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

CVE-2025-41237 - VMware ESXi, Workstation, and Fusion are vulnerable to integer-underflow in VMCI, allowing a local attacker to execute code on the host.

Product: VMware ESXi, Workstation, Fusion

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41237

NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

CVE-2025-41238 - VMware ESXi, Workstation, and Fusion are vulnerable to a heap-overflow issue in the PVSCSI controller allowing local administrative actors to execute code on the host or machine.

Product: VMware ESXi

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41238

NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

CVE-2025-50067 - Oracle Application Express (component: Strategic Planner Starter App) versions 24.2.4 and 24.2.5 allow a low privileged attacker with network access to compromise the system, potentially resulting in a complete takeover.

Product: Oracle Application Express

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50067

NVD References: https://www.oracle.com/security-alerts/cpujul2025.html

CVE-2025-52688 - Cisco Access Point: Injection of commands with root privileges could compromise confidentiality, integrity, availability, and grant full control to an attacker.

Product: Cisco Access Point

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52688

NVD References:

- https://www.al-enterprise.com/-/media/assets/internet/documents/sa-n0150-omniaccess-stellar-multiple-vulnerabilities.pdf

- https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-072/

CVE-2025-52689 - Cisco Access Point: Unauthorized access to administrator privileges through spoofing login requests could alter access point behavior.

Product: Cisco Access Point

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52689

NVD References:

- https://www.al-enterprise.com/-/media/assets/internet/documents/sa-n0150-omniaccess-stellar-multiple-vulnerabilities.pdf

- https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-072/

CVE-2025-7673 - Zyxel VMG8825-T50K web server in firmware versions prior to V5.50(ABOM.5)C0 is susceptible to a buffer overflow vulnerability in the URL parser, allowing unauthenticated attackers to trigger DoS and potential code execution via a specially crafted HTTP request.

Product: Zyxel VMG8825-T50K firmware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7673

NVD References: https://www.zyxel.com/service-provider/global/en/zyxel-security-advisory-remote-code-execution-and-denial-service-vulnerabilities-cpe

CVE-2024-9342 - Eclipse GlassFish version 7.0.16 or earlier allows for unrestricted Login Brute Force attacks due to lack of failed login attempt limitations.

Product: Eclipse Glassfish 7.0.16

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9342

NVD References: https://gitlab.eclipse.org/security/cve-assignement/-/issues/33

CVE-2024-9408 - In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints.

Product: Eclipse Glassfish 6.2.5

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9408

NVD References: https://gitlab.eclipse.org/security/cve-assignement/-/issues/38

CVE-2025-51630 - TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a buffer overflow via the ePort parameter in the function setIpPortFilterRules.

Product: TOTOLINK N350RT

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51630

CVE-2025-52046 - Totolink A3300R V17.0.0cu.596_B20250515 has a command injection vulnerability in the sub_4197C0 function, allowing unauthenticated attackers to execute arbitrary commands via crafted requests.

Product: Totolink A3300R

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52046

CVE-2025-44655 - TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9 are vulnerable to unauthorized system file access and privilege escalation due to enabled chroot_local_user option in the vsftpd.conf.

Product: TOTOLink vsftpd

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-44655

CVE-2025-53909 - Mailcow: dockerized has a Server-Side Template Injection (SSTI) vulnerability in versions before 2025-07, allowing potential code execution with admin access to the notification template system.

Product: Mailcow Dockerized

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53909

NVD References: https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-8p7g-6cjj-wr9m

CVE-2025-50240 - nbcio-boot v1.0.3 was discovered to contain a SQL injection vulnerability via the userIds parameter at /sys/user/deleteRecycleBin.

Product: nbcio boot v1.0.3

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50240

CVE-2025-23266 - NVIDIA Container Toolkit contains a vulnerability allowing for arbitrary code execution and potential escalation of privileges.

Product: NVIDIA Container Toolkit

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23266

NVD References: https://nvidia.custhelp.com/app/answers/detail/a_id/5659

CVE-2025-53964 - GoldenDict 1.5.0 and 1.5.1 contain a vulnerability that allows attackers to read and modify files when a crafted dictionary is added and searched for.

Product: GoldenDict 1.5.0 and 1.5.1

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53964

NVD References: https://github.com/goldendict/goldendict/releases

CVE-2025-6185 - Leviton AcquiSuite and Energy Monitoring Hub are vulnerable to cross-site scripting, enabling attackers to execute malicious payloads and control the service.

Product: Leviton AcquiSuite

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6185

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-198-01

CVE-2025-26854 - An SQL injection in Articles Good Search extension 1.0.0 - 1.2.4.0011 for Joomla allows attackers to execute arbitrary SQL commands.

Product: Joomla Articles Good Search extension

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26854

CVE-2025-26855 - An SQL injection in Articles Calendar extension 1.0.0 - 1.0.1.0007 for Joomla allows attackers to execute arbitrary SQL commands.

Product: Joomla Articles Calendar extension

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26855

CVE-2025-47158 - Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

Product: Azure DevOps

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47158

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47158

CVE-2025-49746 - Improper authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.

Product: Azure Machine Learning

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49746

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49746

CVE-2025-49747 - Missing authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.

Product: Microsoft Azure Machine Learning

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49747

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49747

CVE-2025-7916 - WinMatrix3 by Simopro Technology is vulnerable to unauthenticated remote attackers executing arbitrary code via maliciously crafted serialized contents.

Product: Simopro Technology WinMatrix3

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7916

NVD References: https://www.twcert.org.tw/en/cp-139-10257-e88f3-2.html

CVE-2025-7918 - WinMatrix3 Web package developed by Simopro Technology is vulnerable to SQL Injection, enabling remote attackers to manipulate database contents.

Product: Simopro Technology WinMatrix3 Web package

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7918

NVD References: https://www.twcert.org.tw/en/cp-139-10264-6c4b7-2.html

CVE-2025-7343 - The SFT developed by Digiwin is vulnerable to SQL Injection, enabling unauthenticated remote attackers to manipulate database content.

Product: Digiwin SFT

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7343

NVD References: https://www.twcert.org.tw/en/cp-139-10271-25ea9-2.html

CVE-2025-7921 - Askey modem models have a Stack-based Buffer Overflow vulnerability that allows attackers to execute arbitrary code remotely without authentication.

Product: Askey Certain modem models

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7921

NVD References: https://www.twcert.org.tw/en/cp-139-10269-c9839-2.html

CVE-2024-6107 - MAAS is vulnerable to authentication bypass by a malicious client, allowing them to run RPC commands in a region, now fixed in the updated snaps.

Product: MAAS

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6107

CVE-2025-6704 - Sophos Firewall versions older than 21.0 MR2 (21.0.2) may be vulnerable to pre-auth remote code execution due to an arbitrary file writing issue in the Secure PDF eXchange (SPX) feature.

Product: Sophos Firewall

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6704

NVD References: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce

CVE-2025-7624 - Sophos Firewall versions older than 21.0 MR2 are vulnerable to SQL injection, potentially allowing for remote code execution if certain conditions are met.

Product: Sophos Firewall

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7624

NVD References: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce

CVE-2025-44658 - Netgear RAX30 V1.0.10.94 is vulnerable to a PHP-FPM misconfiguration, allowing attackers to upload malicious scripts with alternate extensions and execute them as PHP, potentially leading to remote code execution, information disclosure, or system compromise.

Product: Netgear RAX30 V1.0.10.94

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-44658

CVE-2025-7393 - Drupal Mail Login is vulnerable to Brute Force attacks due to allowing excessive authentication attempts from versions 3.0.0 to 3.2.0 and 4.0.0 to 4.2.0.

Product: Drupal Mail Login

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7393

NVD References: https://www.drupal.org/sa-contrib-2025-088

CVE-2025-36846 - Eveo URVE Web Manager 27.02.2025 is vulnerable to OS Command Injection through the unauthenticated /_internal/pc/vpro.php localhost endpoint, allowing attackers to execute arbitrary commands.

Product: Eveo URVE Web Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-36846

CVE-2025-44654 - Linksys E2500 3.0.04.002 is vulnerable to unauthorized access, privilege escalation, and use as a pivot point due to the enabled chroot_local_user option in the vsftpd configuration file.

Product: Linksys E2500

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-44654

CVE-2020-26799 - Luxcal 4.5.2 contains a reflected cross-site scripting (XSS) vulnerability in index.php that enables unauthorized users to access and steal data from other users.

Product: Luxsoft Luxcal

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-26799

CVE-2025-52362 - PHProxy version 1.1.1 and prior is susceptible to an SSRF vulnerability due to inadequate input validation, enabling a remote attacker to manipulate URLs.

Product: PHProxy version 1.1.1

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52362

CVE-2025-54122 - Manager-io has a critical unauthenticated SSRF vulnerability in versions up to and including 25.7.18.2519, allowing attackers to bypass network isolation and potentially access internal services and sensitive data.

Product: Manager-io Manager

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54122

CVE-2025-4285 - Agentis: before 4.32 is vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands.

Product: Rolantis Information Technologies Agentis

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4285

CVE-2025-5393 - The Alone – Charity Multipurpose Non-profit WordPress Theme is vulnerable to arbitrary file deletion in versions up to 7.8.3, allowing unauthenticated attackers to delete critical files and potentially achieve remote code execution.

Product: Alone Charity Multipurpose Non-profit WordPress Theme

Active Installations: Unknown

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5393

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/2cb1b526-0df6-42a1-9294-90bc61730209?source=cvehttps://nvd.nist.gov/vuln/detail/CVE-2025-5393

CVE-2025-5394 - The Alone – Charity Multipurpose Non-profit WordPress Theme is vulnerable to arbitrary file uploads allowing unauthenticated attackers to achieve remote code execution.

Product: Alone Charity Multipurpose Non-profit WordPress Theme

Active Installations: Unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5394

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/86f91589-b309-49aa-8b04-ca972acaf8fb?source=cve

CVE-2025-7340 - The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code.

Product: Hasthemes Download Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

Active Installations: 10,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7340

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f0cb666b-bfab-492f-a74e-11dc9b171136?source=cve

CVE-2025-7341 - The HT Contact Form Widget plugin for WordPress is vulnerable to arbitrary file deletion, allowing unauthenticated attackers to potentially execute remote code.

Product: Hasthemes Download Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

Active Installations: 10,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7341

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/32da04ba-bee3-4fd3-b91b-57e588d5f4e4?source=cve

CVE-2025-7360 - The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving, allowing unauthenticated attackers to potentially execute remote code.

Product: Hasthemes Download Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

Active Installations: 10,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7360

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/dd42c83c-c51c-45a5-8ad5-0df2c0cc411d?source=cve

CVE-2025-54010 - FluentSnippets is vulnerable to a Cross-Site Request Forgery (CSRF) issue from versions n/a through 10.50.

Product: Shahjahan Jewel FluentSnippets

Active Installations: 20,000+

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54010

NVD References: https://patchstack.com/database/wordpress/plugin/easy-code-manager/vulnerability/wordpress-fluentsnippets-plugin-10-50-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

CVE-2025-28959 - Md Yeasin Ul Haider URL Shortener is vulnerable to SQL Injection from version n/a through 3.0.7.

Product: Md Yeasin Ul Haider URL Shortener

Active Installations: Unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28959

NVD References: https://patchstack.com/database/wordpress/plugin/exact-links/vulnerability/wordpress-url-shortener-3-0-7-sql-injection-vulnerability?_s_id=cve

CVE-2025-28961 - Md Yeasin Ul Haider URL Shortener is vulnerable to Object Injection due to Deserialization of Untrusted Data from version n/a through 3.0.7.

Product: Md Yeasin Ul Haider URL Shortener

Active Installations: Unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28961

NVD References: https://patchstack.com/database/wordpress/plugin/exact-links/vulnerability/wordpress-url-shortener-3-0-7-php-object-injection-vulnerability?_s_id=cve

CVE-2025-28982 - ThimPress WP Pipes is vulnerable to SQL Injection due to improper neutralization of special elements, impacting versions from n/a through 1.4.3.

Product: ThimPress WP Pipes

Active Installations: 500+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28982

NVD References: https://patchstack.com/database/wordpress/plugin/wp-pipes/vulnerability/wordpress-wp-pipes-1-4-3-sql-injection-vulnerability?_s_id=cve

CVE-2025-29009 - Medical Prescription Attachment Plugin for WooCommerce allows unauthorized users to upload dangerous files, potentially leading to the upload of a web shell on a web server.

Product: Webkul Medical Prescription Attachment Plugin for WooCommerce

Active Installations: Unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29009

NVD References: https://patchstack.com/database/wordpress/plugin/medical-prescription-attachment-plugin-for-woocommerce/vulnerability/wordpress-medical-prescription-attachment-plugin-for-woocommerce-1-2-3-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2025-48300 - Adrian Tobey Groundhogg allows users to upload dangerous file types, potentially enabling the upload of a web shell to a web server.

Product: Adrian Tobey Groundhogg

Active Installations: 2,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48300

NVD References: https://patchstack.com/database/wordpress/plugin/groundhogg/vulnerability/wordpress-groundhogg-4-2-1-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2025-52714 - Traveler: from n/a through n/a is vulnerable to SQL Injection due to Improper Neutralization of Special Elements in SQL Commands.

Product: shinetheme Traveler

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52714

NVD References: https://patchstack.com/database/wordpress/theme/traveler/vulnerability/wordpress-traveler-3-2-2-sql-injection-vulnerability?_s_id=cve

CVE-2025-52836 - The E-Commerce ERP from Unity Business Technology Pty Ltd allows Privilege Escalation due to Incorrect Privilege Assignment in versions n/a through 2.1.1.3.

Product: Unity Business Technology Pty Ltd The E-Commerce ERP

Active Installations: This plugin has been closed as of May 29, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52836

NVD References: https://patchstack.com/database/wordpress/plugin/profitori/vulnerability/wordpress-the-e-commerce-erp-2-1-1-3-privilege-escalation-vulnerability?_s_id=cve

CVE-2025-5396 - The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution due to unvalidated user input in the bbackup_ajax_handle() function, allowing attackers to execute code and potentially create backdoors on the server.

Product: Bears Backup plugin for WordPress

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5396

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/81b44abb-6d30-4930-b68b-9a04d93f5169?source=cve

CVE-2025-7712 - The Madara - Core plugin for WordPress is vulnerable to arbitrary file deletion through insufficient path validation, allowing unauthenticated attackers to potentially execute remote code.

Product: Madara Core plugin for WordPress

Active Installations: unknown

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7712

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f9de8e90-5bda-4ab1-aa78-2748cd717376?source=cve

CVE-2025-6222 - The WooCommerce Refund And Exchange with RMA - Warranty Management WordPress theme is vulnerable to arbitrary file uploads in all versions up to 3.2.6, allowing unauthenticated attackers to potentially achieve remote code execution.

Product: WooCommerce Refund And Exchange with RMA - Warranty Management

Active Installations: 5,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6222

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/35a7b5a1-b052-4390-8e08-f97aa9c16b29?source=cve

CVE-2025-7643 - The Attachment Manager plugin for WordPress is vulnerable to arbitrary file deletion, allowing unauthenticated attackers to execute remote code.

Product: WordPress Attachment Manager plugin

Active Installations: This plugin has been closed as of July 14, 2025 and is not available for download. This closure is permanent. Reason: Author Request.

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7643

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/5731b971-4408-4c64-809c-e95fba33009e?source=cve

CVE-2025-7444 - The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass, allowing unauthenticated attackers to log in as any existing user on the site.

Product: WordPress LoginPress Pro plugin

Active Installations: 200,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7444

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/80fcb3af-0b27-4442-aca0-58626b68f0d9?source=cve

CVE-2025-7696 - The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function, allowing unauthenticated attackers to inject a PHP Object and potential deletion of arbitrary files for denial of service or remote code execution.

Product: Integration for Pipedrive Contact Form 7

Active Installations: 1,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7696

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6980112b-a555-47a4-b2d7-f0187d52fc63?source=cve

CVE-2025-7697 - The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection, allowing unauthenticated attackers to inject a PHP Object and potentially leading to denial of service or remote code execution.

Product: Integration for Google Sheets Contact Form 7

Active Installations: 1,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7697

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/a0146f17-35bd-45cf-b9c6-c4fce688efc2?source=cve

CVE-2012-10019 - The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code on affected sites.

Product: WordPress Front End Editor plugin

Active Installations: 600+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2012-10019

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f271c2e7-9d58-4dea-95d3-3ffc4ec7c3b2?source=cve

CVE-2015-10135 - The WPshop 2 – E-Commerce plugin for WordPress allows unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution due to missing file type validation.

Product: WPshop 2 E-Commerce plugin for WordPress

Active Installations: 90+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10135

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/32e8224d-a653-48d7-a3f4-338fc0c1dc77?source=cve

CVE-2016-15043 - The WP Mobile Detector plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code.

Product: WP Mobile Detector WordPress plugin

Active Installations: This plugin has been closed as of November 21, 2016 and is not available for download. Reason: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-15043

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/5a5d5dbd-36f0-4886-adf8-045ec9c2e306?source=cve

CVE-2015-10138 - The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code.

Product: Wordfence Work The Flow File Upload plugin for WordPress

Active Installations: This plugin has been closed as of September 12, 2018 and is not available for download. Reason: Security Issue.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10138

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/eb271cc8-01ec-45eb-9d6f-efc55c7c3923?source=cve

CVE-2012-10020 - The FoxyPress plugin for WordPress allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially leading to remote code execution.

Product: FoxyPress WordPress

Active Installations: This plugin has been closed as of October 9, 2014 and is not available for download. Reason: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2012-10020

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/8fbc88da-8944-433c-b94d-9604ffe13d8a?source=cve

CVE-2015-10137 - The Website Contact Form With File Upload plugin for WordPress allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution.

Product: WordPress Website Contact Form With File Upload plugin

Active Installations: This plugin has been closed as of October 24, 2016 and is not available for download. Reason: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10137

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/8395e0c4-3feb-4551-9f2f-7b80cd187eca?source=cve

CVE-2025-6187 - The bSecure plugin for WordPress allows unauthenticated attackers to escalate privileges by exploiting missing authorization in its order_info REST endpoint.

Product: bSecure WordPress plugin

Active Installations: This plugin has been closed as of July 21, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6187

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f51029-0748-4943-b0ef-fc822b14614a?source=cve