SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 25ISSUE 32
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Keeping an Eye on MFA-Bombing Attacks
Published: 2025-08-18
Last Updated: 2025-08-18 14:29:47 UTC
by Rob VandenBrink (Version: 1)
I recently woke up (as one does each day, hopefully) and saw a few Microsoft MFA prompts had pinged me overnight. Since I had just awakened, I just deleted them, then two minutes later clued in - this means that one of my passwords was compromised, and I had no idea which site the compromised creds were for.
I opened the MS Authenticator app on my phone, and saw no option for "view history" - this seems like a huge miss to me.
I finally found it in the MS portal at account.microsoft.com / my signins, which translates to: https://mysignins.microsoft.com/. It's not so helpful that this information has moves ovr time, most of the online documentation tells you to navigate to your privacy settings to get to this page (which is not correct info for today's site).
Once you are there, this page nicely lists all the logins, successful or otherwise, as well as what site or resource they were for as well as the geography. So if you are being attacked from abroad you can see that immediately in this page. What it doesn't do is list the login geography and phone geography separately - that would be helpful, as if they don't match that's almost positively an attack, it takes the "I was on vacation" thing off the table (unless your organization uses proxies pre-vpn that is).
So perfect! What does this mitigate against? For me today, it tells me which site I need to change my password for. Also it tells me that I need to contact that customer and tell them that they've been breeched somehow - all of my passwords are unique per-site and customer, so if one is compromised it's not because I used it on some less secure site - I'm not ordering take-out with any of my customer passwords for instance.
This doesn't mean that this customer has had a full compromise, that the attacker recovered it from AD (good luck with that against my longer, random string passwords) - more likely one of their web resources stores passwords in clear text or stores passwords using some reversible encryption. This also means that organization is rocking it like it's 2005 - a web resource that's most likely using their on-premise AD as it's back-end authentication without MFA - then storing or caching the credentials, you know, for "performance reasons". (those same "performance reasons" that we fought against for years when implementing SSL/TLS).
What is the real attack vector here? There are a couple ...
Read the full entry: https://isc.sans.edu/diary/Keeping+an+Eye+on+MFABombing+Attacks/32208/
SNI5GECT: Sniffing and Injecting 5G Traffic Without Rogue Base Stations
Published: 2025-08-14
Last Updated: 2025-08-15 00:02:01 UTC
by Yee Ching Tok (Version: 1)
As the world gradually adopts and transitions to using 5G for mobile, operational technology (OT), automation and Internet-of-Things (IoT) devices, a secure 5G network infrastructure remains critical. Recently, the Automated Systems SEcuriTy (ASSET) Research Group have released a new framework named SNI5GECT [pronounced as Sni-f-Gect (sniff + 5G + inject)] that enables users of the framework to i) sniff messages from pre-authentication 5G communication in real-time and ii) inject targeted attack payloads in downlink communications towards User Equipments (UE). I had previously written about how 5G connections are established over here, hence I will be diving directly into the SNI5GECT framework. In this diary, I will briefly provide an overview of the SNI5GECT framework and discuss a new multi-stage downgrade attack leveraging the SNI5GECT framework.
As mentioned earlier, SNI5GECT can sniff uplink (UL) and downlink (DL) 5G New Radio (NR) traffic over the air and inject downlink messages at the correct timing (i.e. after a specific protocol state) so the UE would accept the message in real-time. Such features allow SNI5GECT to fingerprint, perform denial-of-service, or downgrade attacks on targets requiring message injection under different communication states. Compared to prior state-of-the-art works, the SNI5GECT framework does not require rogue gNodeB (gNB) stations when executing over-the-air sniffing and stateful injections. The absence of a rogue gNB is significant as it reduces setup complexities while increasing stealth (e.g. avoiding rogue hardware detection mechanisms) since broadcast messages [Master Information Block (MIB) and System Information Block (SIB)] are not transmitted. With reference to Figure 1, the overview of SNI5GECT is illustrated ...
Read the full entry: https://isc.sans.edu/diary/SNI5GECT+Sniffing+and+Injecting+5G+Traffic+Without+Rogue+Base+Stations/32202/
Internet Storm Center Entries
Airtell Router Scans, and Mislabeled usernames (2025.08.20)
https://isc.sans.edu/diary/Airtell+Router+Scans+and+Mislabeled+usernames/32216/
Increased Elasticsearch Recognizance Scans (2025.08.19)
https://isc.sans.edu/diary/Increased+Elasticsearch+Recognizance+Scans/32212/
AI and Faster Attack Analysis [Guest Diary] (2025.08.13)
https://isc.sans.edu/diary/AI+and+Faster+Attack+Analysis+Guest+Diary/32198/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2025-31324 - SAP NetWeaver Visual Composer Metadata Uploader lacks proper authorization, enabling unauthenticated agents to upload harmful executables, compromising system security.
Product: SAP NetWeaver Visual Composer
CVSS Score: 0
** KEV since 2025-04-29 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31324
ISC Podcast: https://isc.sans.edu/podcastdetail/9578
CVE-2025-42999 - SAP NetWeaver Visual Composer Metadata Uploader is vulnerable to upload of untrusted content that could compromise system confidentiality, integrity, and availability.
Product: SAP NetWeaver Visual Composer
CVSS Score: 0
** KEV since 2025-05-15 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42999
ISC Podcast: https://isc.sans.edu/podcastdetail/9578
CVE-2025-42950 - SAP Landscape Transformation (SLT) allows an attacker to inject arbitrary ABAP code and compromise the system, bypassing authorization checks.
Product: SAP Landscape Transformation (SLT)
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42950
NVD References: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2025.html
CVE-2025-42957 - SAP S/4HANA is susceptible to a backdoor vulnerability that allows an attacker with user privileges to inject arbitrary ABAP code, compromising system integrity and confidentiality.
Product: SAP S/4HANA
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42957
NVD References: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2025.html
CVE-2017-11882 - Microsoft Office Memory Corruption Vulnerability
Product: Microsoft Office 2016
CVSS Score: 0
** KEV since 2021-11-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-11882
ISC Podcast: https://isc.sans.edu/podcastdetail/9570
CVE-2025-8875 - Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1.
Product: N-Able N-Central
CVSS Score: 7.8
** KEV since 2025-08-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8875
NVD References: https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/
CVE-2025-8876 - Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.
Product: N-Able N-Central
CVSS Score: 8.8
** KEV since 2025-08-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8876
NVD References: https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/
CVE-2007-0671 - Microsoft Excel 2000, XP, 2003, and 2004 for Mac, and other Office products, have an unspecified vulnerability allowing remote attackers to execute arbitrary code via Exploit-MSExcel.h.
Product: Microsoft Word_Viewer 2003
CVSS Score: 0
** KEV since 2025-08-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2007-0671
CVE-2013-3893 - Microsoft Internet Explorer 6 through 11 is vulnerable to remote code execution via crafted JavaScript strings in the SetMouseCapture implementation of mshtml.dll.
Product: Microsoft Internet_Explorer 11
CVSS Score: 0
** KEV since 2025-08-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2013-3893
CVE-2025-40746 - SIMATIC RTLS Locating Manager (All versions < V3.2) allows an authenticated remote attacker to execute arbitrary code with high privileges due to lack of input validation in a backup script.
Product: SIMATIC RTLS Locating Manager Siemens
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40746
NVD References: https://cert-portal.siemens.com/productcert/html/ssa-493787.html
CVE-2025-55010 - Kanboard project management software, before version 1.2.47, is vulnerable to unsafe deserialization in the ProjectEventActivityFormatter, allowing admin users to execute arbitrary PHP objects and potentially achieve remote code execution.
Product: Kanboard Project Management Software
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55010
CVE-2025-55167 & CVE-2025-55168 - WeGIA version prior to 3.4.8 is vulnerable to SQL Injection
Product: WeGIA
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55167
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55168
CVE-2025-50154 - Windows File Explorer allows unauthorized attackers to perform network spoofing by exposing sensitive information to unauthorized actors.
Product: Microsoft Windows 10 1507
CVSS Score: 7.5
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50154
ISC Podcast: https://isc.sans.edu/podcastdetail/9568
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50154
CVE-2025-50165 - Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
Product: Microsoft Windows 11 24H2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50165
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50165
CVE-2025-50171 - Missing authorization in Remote Desktop Server allows an unauthorized attacker to perform spoofing over a network.
Product: Microsoft Windows Server 2022
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50171
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50171
CVE-2025-53766 - Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
Product: Microsoft Office
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53766
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53766
CVE-2025-53779 - Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network.
Product: Microsoft Windows Server 2025
CVSS Score: 7.2
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53779
ISC Podcast: https://isc.sans.edu/podcastdetail/9570
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779
CVE-2025-25256 - Fortinet FortiSIEM versions 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3, and before 6.7.9 are vulnerable to OS Command Injection, allowing an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests.
Product: Fortinet FortiSIEM
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25256
NVD References:
- https://fortiguard.fortinet.com/psirt/FG-IR-25-152
- https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/
CVE-2025-49457 - Zoom Clients for Windows may allow an unauthenticated user to gain escalated privileges through network access due to untrusted search path vulnerability.
Product: Zoom Video Communications Zoom Clients for Windows
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49457
NVD References: https://www.zoom.com/en/trust/security-bulletin/zsb-25030
CVE-2025-8760 - INSTAR 2K+ and 4K 3.11.1 Build 1124 is vulnerable to a buffer overflow through the base64_decode function of fcgi_server component when manipulating the Authorization argument, allowing for remote attacks.
Product: INSTAR 2K+ and 4K
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8760
NVD References: https://modzero.com/static/MZ-25-03_modzero_INSTAR.pdf
CVE-2025-8913 - WellChoose's Organization Portal System has a Local File Inclusion vulnerability that enables unauthenticated remote attackers to run arbitrary code on the server.
Product: WellChoose Organization Portal System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8913
NVD References: https://www.twcert.org.tw/en/cp-139-10325-70192-2.html
CVE-2025-54382 - Cherry Studio desktop client version 1.5.1 is vulnerable to remote code execution (RCE) due to an issue with streamableHttp MCP server connections that has been patched in version 1.5.2.
Product: Cherry Studio desktop client
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54382
NVD References: https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-gjp6-9cvg-8w93
CVE-2025-50251 - Server side request forgery (SSRF) vulnerability in makeplane plane 0.23.1 via the password recovery.
Product: makeplane plane
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50251
CVE-2025-51451 - In TOTOLINK EX1200T firmware 4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
Product: Totolink Ex1200T_Firmware 4.1.2cu.5215
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51451
NVD References: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/204/ids/36.html
CVE-2025-51452 - In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
Product: Totolink A7000R_Firmware 9.1.0u.6115_b20201022
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51452
NVD References: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/171/ids/36.html
CVE-2025-55591 - TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint.
Product: TOTOLINK A3002R
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55591
CVE-2025-50594 - Danphe Health Hospital Management System EMR 3.2 is vulnerable to remote attackers resetting any account password through a flaw in SecuritySettingsController.cs.
Product: Danphe Health Hospital Management System EMR
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50594
NVD References: https://www.aecyberpro.com/blog/general/2025-04-30-Account-Takeover-BOLA-Hospital-Management-System-EMR/
CVE-2025-52385 - Studio 3T v.2025.1.0 and earlier versions are vulnerable to a remote code execution attack through a crafted payload in the child_process module.
Product: Studio 3T
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52385
CVE-2025-43982 - Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices have a hidden hard-coded root account that cannot be disabled in the GUI, leaving them vulnerable.
Product: Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43982
CVE-2025-43986 - KuWFi GC111 GC111-GL-LM321_V3.0_20191211 devices have default enabled TELNET service exposed over WAN interface without authentication.
Product: KuWFi GC111-GC111-GL-LM321_V3.0_20191211
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43986
CVE-2025-43983 - KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices are vulnerable to unauthenticated access control flaws, enabling attackers to steal sensitive data, change device settings, and send unauthorized SMS messages.
Product: KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43983
CVE-2025-43984 - KuWFi GC111 devices are vulnerable to unauthenticated command execution through a crafted POST request in the SSID parameter.
Product: KuWFi GC111 devices
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43984
CVE-2011-10018 - myBB version 1.6.4 has an unauthorized backdoor allowing remote attackers to execute arbitrary PHP code via a specially crafted collapsed cookie.
Product: myBB
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2011-10018
CVE-2025-55346 - Flowise JS injection remote code execution. Flowise is vulnerable to allowing network attackers to run arbitrary unsandboxed JS code in the context of the host by sending a simple POST request.
Product: Flowise
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55346
NVD References: https://research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925/
CVE-2025-8943 - Flowise OS command remote code execution. Flowise's Custom MCPs feature allows unauthenticated network attackers to execute unsandboxed OS commands due to minimal authentication and lack of RBAC.
Product: Flowise
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8943
NVD References: https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/
CVE-2025-27845 - ESPEC North America Web Controller 3 before 3.3.4 allows for exposed JWT secret with any invalid authentication request.
Product: ESPEC North America Web Controller 3
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27845
NVD References: https://espec.com/na/about/detail/cve_2025_27845
CVE-2025-50518 - Libcoap library is susceptible to a use-after-free vulnerability in coap_delete_pdu_lkd function, allowing for memory corruption and arbitrary code execution.
Product: Libcoap library
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50518
CVE-2025-20265 - Cisco Secure Firewall Management Center (FMC) Software is vulnerable to injection of arbitrary shell commands by unauthenticated remote attackers due to improper handling of user input during authentication.
Product: Cisco Secure Firewall Management Center
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20265
NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79
CVE-2025-8995 - Drupal Authenticator Login is vulnerable to Authentication Bypass via an Alternate Path/Channel, allowing unauthorized access.
Product: Drupal Authenticator Login
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8995
NVD References: https://www.drupal.org/sa-contrib-2025-096
CVE-2025-9060 - MSoft MFlash is vulnerable to arbitrary code execution due to insufficient parameter validation in integration configuration, affecting versions 8.0 and possibly others, mitigated by applying hotfix 11.06.2025 and above.
Product: MSoft MFlash
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9060
CVE-2025-31715 - Vowifi service is vulnerable to command injection through improper input validation, allowing for remote privilege escalation without additional execution privileges.
Product: Huawei Vowifi
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31715
CVE-2025-54117 - NamelessMC before version 2.2.3 is vulnerable to cross-site scripting (XSS) attacks via the dashboard text editor, allowing remote authenticated attackers to inject arbitrary web script or HTML.
Product: NamelessMC
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54117
CVE-2025-55205 - Capsule v0.10.3 and earlier allows authenticated tenant users to inject arbitrary labels into system namespaces, potentially accessing cross-tenant resources and bypassing multi-tenant isolation.
Product: Capsule
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55205
CVE-2025-55282 & CVE-2025-55283 - aiven-db-migrate before version 1.0.7 privilege escalation vulnerabilities
Product: aiven-db-migrate
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55282
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55283
CVE-2025-55293 - Meshtastic before v2.6.3 allows an attacker to overwrite a node's publicKey by sending a NodeInfo with an empty key followed by a new key.
Product: Meshatstic
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55293
CVE-2025-55299 - VaulTLS version 0.9.0 and below allow attackers to login with an empty password by exploiting an issue with user accounts created through the User web UI.
Product: VaulTLS mTLS (mutual TLS) certificates
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55299
CVE-2025-50567 - Saurus CMS Community Edition 4.7.1 is vulnerable to SQL injection and potential arbitrary PHP code execution due to the deprecated /e modifier in the custom DB::prepare() function.
Product: Saurus CMS Community Edition 4.7.1
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50567
CVE-2025-54336 - Plesk Obsidian 18.0.70 is vulnerable to a login bypass attack due to insecure comparison in _isAdminPasswordValid function.
Product: Plesk Obsidian
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54336
CVE-2025-55294 - Screenshot-desktop is vulnerable to a command injection issue, allowing arbitrary command execution with the privileges of the calling process.
Product: Screenshot-desktop
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55294
CVE-2024-44373 - AllSky v2023.05.01_04 is vulnerable to path traversal, allowing an attacker to create a webshell and execute remote code.
Product: AllSky v2023.05.01_04
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44373
CVE-2025-55306 - GenX_FX backend is at risk of exposing API keys and authentication tokens due to misconfigured environment variables, allowing unauthorized access to cloud resources.
Product: GenX FX
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55306
CVE-2025-55733 - DeepChat before 0.3.1 has a one-click remote code execution vulnerability, allowing attackers to exploit it by embedding a specially crafted deepchat: URL on a website, leading to remote code execution on the victim's machine.
Product: DeepChat
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55733
CVE-2025-8355 - Xerox FreeFlow Core version 8.0.4 is vulnerable to SSRF due to improper handling of XML input allowing injection of external entities.
Product: Xerox FreeFlow Core
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8355
ISC Podcast: https://isc.sans.edu/podcastdetail/9572
CVE-2025-8356 - Xerox FreeFlow Core version 8.0.4 is vulnerable to Path Traversal, enabling unauthorized file access and potential Remote Code Execution.
Product: Xerox FreeFlow Core
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8356
ISC Podcast: https://isc.sans.edu/podcastdetail/9572
Recent CVEs Continued
CVE-2025-8059 - The B Blocks plugin for WordPress is vulnerable to Privilege Escalation allowing unauthenticated attackers to create admin accounts.
Product: WordPress B Blocks plugin
Active Installations: 800+. Update to version 2.0.7, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8059
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/0ee3b389-60c9-4f8e-9428-a71a6d9b20aa?source=cve
CVE-2025-7384 - The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection which can lead to remote code execution.
Product: WordPress Contact Form 7
Active Installations: 70,000+. Update to version 1.4.4, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7384
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/129f810d-ff83-4428-9f98-6a6aa8817783?source=cve
CVE-2025-6715 - The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion, allowing attackers to execute PHP files on the server.
Product: LatePoint WordPress plugin
Active Installations: 80,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6715
NVD References: https://wpscan.com/vulnerability/357aba51-b65e-4691-864b-fef1c78a9362/
CVE-2025-8047 - The disable-right-click-powered-by-pixterme WordPress plugin has a compromised JavaScript file that can be used as a backdoor by unauthorized users.
Product: disable-right-click-powered-by-pixterme WordPress plugins
Active Installations: Unknown
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8047
NVD References: https://wpscan.com/vulnerability/a0c70b98-a3f9-4d4c-a25f-81424230b1a5/
CVE-2025-24775 - Made I.T. Forms is vulnerable to unrestricted upload of dangerous file types, enabling attackers to upload a web shell to a web server.
Product: Made I.T. Forms
Active Installations: 100+
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24775
CVE-2025-25174 - BeeTeam368 Extensions before version 1.9.4 allows PHP Local File Inclusion through an improper control of filenames.
Product: BeeTeam368 Extensions
Active Installations: Unknown. Update to version 2.3.5, or a newer patched version
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25174
CVE-2025-48293 - Geo Mashup vulnerability in PHP Local File Inclusion allows remote attackers to include and execute arbitrary PHP files.
Product: Dylan Kuhn Geo Mashup
Active Installations: 2,000+. Update to version 1.13.17 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48293
CVE-2025-49059 - CleverReach® WP is vulnerable to SQL Injection from n/a through 1.5.20.
Product: CleverReach WP
Active Installations: 400+
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49059
CVE-2025-49887 - Product XML Feed Manager for WooCommerce allows Remote Code Inclusion due to Improper Control of Generation of Code ('Code Injection') vulnerability, affecting versions n/a through 2.9.3.
Product: WPFactory Product XML Feed Manager for WooCommerce
Active Installations: 1,000+. Update to version 2.9.4 or later.
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49887
CVE-2025-52720 - Super Store Finder suffers from an SQL Injection vulnerability, affecting versions from n/a through 7.5.
Product: highwarden Super Store Finder
Active Installations: Unknown. Update to version 7.6 or later.
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52720
CVE-2025-54669 - MapSVG is vulnerable to SQL Injection through improper neutralization of special elements in SQL commands, affecting versions from n/a through n/a.
Product: RomanCode MapSVG
Active Installations: 1,000+. Update to version 8.7.4 or later.
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54669
NVD References: https://patchstack.com/database/wordpress/plugin/mapsvg/vulnerability/wordpress-mapsvg-plugin-8-7-4-sql-injection-vulnerability?_s_id=cve
CVE-2025-54678 - Easy Form Builder is vulnerable to Blind SQL Injection, allowing attackers to manipulate SQL commands and potentially access sensitive information.
Product: hassantafreshi Easy Form Builder
Active Installations: 2,000+. Update to version 3.8.16 or later.
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54678
CVE-2025-54686 - Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio allows Object Injection. This issue affects Exertio: from n/a through 1.3.2.
Product: scriptsbundle Exertio
Active Installations: Unknown. Update to version 1.3.3 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54686
NVD References: https://patchstack.com/database/wordpress/theme/exertio/vulnerability/wordpress-exertio-theme-1-3-2-php-object-injection-vulnerability?_s_id=cve
CVE-2025-54693 - Form Block is vulnerable to unrestricted upload of dangerous file types, allowing for the upload of a web shell to a web server, affecting versions from n/a through 1.5.5.
Product: epiphyt Form Block
Active Installations: 200+. Update to version 1.5.6 or later.
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54693
CVE-2025-54707 - RealMag777 MDTF is vulnerable to SQL Injection in versions up to 1.3.3.7.
Product: RealMag777 MDTF
Active Installations: 1,000+. Update to version 1.3.3.8 or later.
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54707
CVE-2025-6679 - The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code on the affected site's server.
Product: WordPress Bit Form builder plugin
Active Installations: 10,000+. Update to version 2.20.4, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6679
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2e294f-904b-4674-8baf-d3a9a260d634?source=cve
CVE-2025-7778 - The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion, allowing unauthenticated attackers to delete any file on the server, potentially leading to remote code execution.
Product: Icons Factory WordPress plugin
Active Installations: ** This plugin has been closed as of August 14, 2025 and is not available for download. This closure is temporary, pending a full review. **
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7778
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/24f31bbf-883f-4903-847a-7bfc3e45654c?source=cve
CVE-2025-7441 - The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads up to version 1.0.42 via the /wp-json/storychief/webhook endpoint, allowing unauthenticated attackers to potentially execute remote code.
Product: StoryChief WordPress plugin
Active Installations: 1,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7441
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/979efaa4-10f1-4c7f-b4b0-5a41678c9d66?source=cve
CVE-2025-8898 - The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0.
Product: Wordpress E-cab plugin
Active Installations: 1,000+. Update to version 1.3.1, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8898
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/fd50ac2c-3049-4a44-b7f8-a5f87c42555c?source=cve
CVE-2025-6758 - The Real Spaces - WordPress Properties Directory Theme is vulnerable to privilege escalation via the 'imic_agent_register' function due to a lack of role restriction, allowing unauthenticated attackers to choose the Administrator role during user registration.
Product: Real Estate Real Spaces - WordPress Properties Directory Theme
Active Installations: Unknown. Update to version 3.6.1, or a newer patched version.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6758
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/e2b24858-dfcd-46f3-9552-c7acc63a1ee7?source=cve
CVE-2025-8723 - The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization, allowing unauthenticated attackers to inject arbitrary PHP code.
Product: Cloudflare Image Resizing plugin for WordPress
Active Installations: 300+. Update to version 1.5.7, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8723
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/0f3b3c1a-1d45-4e2f-854a-171fe759257b?source=cve
Sponsors
Wiz
Security from Code to Cloud: IaC Best Practices Modern infrastructure is built and deployed through Infrastructure as Code (IaC). This shift has transformed how teams scale, standardize, and manage cloud resources, but it also introduces new risks. This cheat sheet explores IaC scanning, why it matters, and best practices to secure IaC and Cloud resource.
SANS
Webcast | SANS Cloud Security Exchange 2025 | Thursday, August 21, 2025 at 10:30AM ET Receive expert insights, guidance, and proven strategies from AWS, Google Cloud, Microsoft & SANS. The session recordings and eBook will be available to all registrants.
SANS
Webcast | SANS Multicloud Survey Forum: Securing Multiple Clouds at Scale | Friday, August 22, 2025 at 10:30AM ET Uncover key findings from SANS research and hear expert guidance on how organizations are securing multiple clouds at scale.
SANS
Webcast | Enhancing Security Operations with Google Threat Intelligence | Tuesday, September 30, 2025 at 3:30PM ET See how Google's threat intelligence can empower SOC teams to detect attacks faster, respond with confidence, and outplace adversaries.