The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft Patch Tuesday December 2025

Published: 2025-12-09

Last Updated: 2025-12-09 20:20:54 UTC

by Johannes Ullrich (Version: 1)

This release addresses 57 vulnerabilities. 3 of these vulnerabilities are rated critical. One vulnerability was already exploited, and two were publicly disclosed before the patch was released.

CVE-2025-62221: This privilege escalation vulnerability in the Microsoft Cloud Files Mini Filters driver is already being exploited.

- https://nvd.nist.gov/vuln/detail/CVE-2025-62221

CVE-2025-54100: A PowerShell script using Invoke-WebRequest may execute scripts that are included in the response. This is what Invoke-WebRequest is supposed to do. The patch adds a warning suggesting adding the -UseBasicParsing parameter to avoid executing scripts.

- https://nvd.nist.gov/vuln/detail/CVE-2025-54100

CVE-2025-64671: The GitHub Copilot plugin for JetBrains may lead to remote code execution. This is overall an issue with many AI code assistance as they have far-reaching access to the IDE.

- https://nvd.nist.gov/vuln/detail/CVE-2025-64671

The critical vulnerabilities are remote code execution vulnerabilities in Office and Outlook ...

Read the full entry: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+December+2025/32550/

AutoIT3 Compiled Scripts Dropping Shellcodes

Published: 2025-12-05

Last Updated: 2025-12-05 07:12:12 UTC

by Xavier Mertens (Version: 1)

AutoIT3 is a powerful language that helps to built nice applications for Windows environments, mainly to automate tasks. If it looks pretty old, the latest version was released last September and it remains popular amongst developers, for the good… or the bad! Malware written in AutoIt3 has existed since the late 2000s, when attackers realized that the language was easy to learn (close to basic) but can also compiled into standalone PE files! From a malware point of view, such executables make an extended use of packed data, making them more stealthy.

If it became less popular, AutoIT3 is still used by some attackers. I found a sample yesterday that (ab)use a nice feature of the language. The sample was delivered in a ZIP archive, containing a PE file ... The file has a VT score of 33/72.

The technique used by the threat actor relies on the function FileInstall(). Its purpose is to include a file into an executed script but… the behavior is subtle and depends on how the script is run. The script call this code ...

Read the full entry: https://isc.sans.edu/diary/AutoIT3+Compiled+Scripts+Dropping+Shellcodes/32542/

Nation-State Attack or Compromised Government? [Guest Diary]

Published: 2025-12-04

Last Updated: 2025-12-04 02:34:40 UTC

by Guy Bruneau (Version: 1)

[This is a Guest Diary by Jackie Nguyen, an ISC intern as part of the SANS.edu BACS program]

The ISC internship didn't just teach me about security, it changed how I thought about threats entirely. There's something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That's where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered!

The Beginning ...

On November 10, 2025, my honeypot captured very interesting activity that really demonstrates how evolved modern threat actors are getting. What initially appeared to be a simple, but successful SSH brute force attempt quickly revealed itself as something far more concerning, a deployment of an advanced trojan designed for long-term persistence and evasion.

What happened?

Suspicious activity was detected when the IP address 103[.] ... successfully SSH’d into my honeypot using the credentials username “root” and password “linux”. The bad actor maintained access to the honeypot for 1 minute and 45 seconds but ultimately ran no commands. Instead, the attacker uploaded a single file, a trojan binary named “sshd” designed to evade security detections by pretending to be the OpenSSH daemon. It was an Executable and Linkable Format (ELF) binary that was classified as malicious by VirusTotal and Hybrid-Analysis.

We won’t be able to see what the Trojan did on my honeypot at this time, however, I found the hash on Hybrid-Analysis and got a good idea of what the trojan does ...

Read the full entry: https://isc.sans.edu/diary/NationState+Attack+or+Compromised+Government+Guest+Diary/32536/

The Holiday Hack Challenge is built by the same experts behind SANS Cyber Ranges, offering high-quality. Real-world learning in a fun, festive environment.

New in Holiday Hack Challenge: Skip the storyline and jump straight into the challenges. CTF mode lets you focus on solving technical puzzles, testing your skills, and competing your way to the top.

https://www.sans.org/cyber-ranges/holiday-hack-challenge

Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection) (2025.12.10)

https://isc.sans.edu/diary/Possible+exploit+variant+for+CVE20249042+Kubernetes+OS+Command+Injection/32554/

Attempts to Bypass CDNs (2025.12.03)

https://isc.sans.edu/diary/Attempts+to+Bypass+CDNs/32532/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-55182 - React Server Components versions 19.0.0 to 19.2.0 are vulnerable to pre-authentication remote code execution via unsafe deserialization of payloads from HTTP requests.

Product: React

CVSS Score: 10.0

** KEV since 2025-12-05 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55182

ISC Podcast: https://isc.sans.edu/podcastdetail/9724

NVD References:

- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

- https://www.facebook.com/security/advisories/cve-2025-55182

- http://www.openwall.com/lists/oss-security/2025/12/03/4

- https://news.ycombinator.com/item?id=46136026

- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182

CVE-2025-62221 - Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Product: Microsoft Windows Cloud Files Mini Filter Driver

CVSS Score: 7.8

** KEV since 2025-12-09 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62221

ISC Diary: https://isc.sans.edu/diary/32550

NVD References:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-62221

CVE-2025-66644 - Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

Product: Array Networks ArrayOS AG

CVSS Score: 7.2

** KEV since 2025-12-08 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66644

NVD References:

- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/

- https://www.jpcert.or.jp/at/2025/at250024.html

- https://x.com/ArraySupport/status/1921373397533032590

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644

CVE-2025-48572 - Android Framework is vulnerable to background activity launching from multiple locations, allowing for local privilege escalation without the need for additional execution privileges or user interaction.

Product: Google Android

CVSS Score: 7.8

** KEV since 2025-12-02 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48572

NVD References:

- https://android.googlesource.com/platform/frameworks/base/+/e707f6600330691f9c67dc023c09f4cd2fc59192

- https://source.android.com/security/bulletin/2025-12-01

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48572

CVE-2025-48633 - Device Policy Manager Service in DevicePolicyManagerService.java allows for local escalation of privilege without additional execution privileges needed by adding a Device Owner after provisioning due to a logic error.

Product: Google Android

CVSS Score: 5.5

** KEV since 2025-12-02 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48633

NVD References:

- https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93

- https://source.android.com/security/bulletin/2025-12-01

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48633

CVE-2021-26828 - OpenPLC ScadaBR allows remote authenticated users to upload and execute arbitrary JSP files through view_edit.shtm.

Product: OpenPLC Project ScadaBR

CVSS Score: 0

** KEV since 2025-12-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-26828

CVE-2025-13872 - ObjectPlanet Opinio 7.26 rev12562 suffers from a Blind SSRF vulnerability in the survey-import feature, allowing attackers to force the server to make malicious HTTP GET requests.

Product: ObjectPlanet Opinio

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13872

CVE-2025-41742 & CVE-2025-41744 - Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 are vulnerable to unauthorized remote attacks due to default cryptographic keys..

Product: Sprecher Automations SPRECON-E Series

CVSS Scores: 9.8 and 9,1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41742

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41744

NVD References:

- https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf

- https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf

CVE-2025-11778, CVE-2025-11779, CVE-2025-11780, CVE-2025-11782 through CVE-2025-11786, CVE-2025-11788 - CircutorSGE-PLC1000/SGE-PLC50 v9.0.2 has multiple buffer overflow vulnerabilities.

Product: Circutor SGE-PLC1000

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11778

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11779

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11780

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11782

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11783

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11784

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11785

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11786

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11788

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0

CVE-2025-41013 - TCMAN GIM v11 in version 20250304 is vulnerable to SQL injection, allowing attackers to manipulate databases using the 'idmant' parameter in '/PC/frmEPIS.aspx'.

Product: TCMAN GIM

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41013

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2

CVE-2025-59693 - Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 have a vulnerability (F02) that allows a physically proximate attacker to obtain debug access and escalate privileges by bypassing tamper labels and opening the chassis without leaving evidence, and accessing the JTAG connector.

Product: Entrust nShield Connect XC

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59693

CVE-2025-59695 - Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an OS root user to alter firmware on the Chassis Management Board without Authentication, known as F04 vulnerability.

Product: Entrust nShield Connect XC

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59695

CVE-2025-59703 - Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access internal components without leaving tamper evidence, known as an F14 attack.

Product: Entrust nShield 5C

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59703

CVE-2025-65358 - Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the 'docid' parameter at /admin/appointment.php.

Product: Hashenudara Edoc-Doctor-Appointment-System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65358

CVE-2025-65656 - dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.

Product: Dcatadmin Dcat Admin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65656

CVE-2025-58386 - Terminalfour 8 through 8.4.1.1 allows Power Users to escalate privileges by manipulating the userLevel parameter in user management functions.

Product: Terminalfour

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58386

NVD References: https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/

CVE-2025-60854 - D-Link R15 (AX1500) 1.20.01 and below is vulnerable to command injection via the model name parameter during a password change request in the web administrator page.

Product: D-Link R15

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60854

NVD References: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10473

CVE-2025-60736 -code-projects Online Medicine Guide 1.0 is vulnerable to SQL Injection in /login.php via the upass parameter.

Product: Anisha Online Medicine Guide

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60736

NVD References: https://github.com/WinDyAlphA/CVE-2025-60736

CVE-2025-65896 - SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys.

Product: Long2ice assyncmy

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65896

CVE-2025-65267 - ERPNext v15.83.2 and Frappe Framework v15.86.0 are vulnerable to stored cross-site scripting (XSS) via malicious JavaScript embedded in uploaded SVG avatar images, allowing for potential account takeover and compromise of the affected instance.

Product: ERPNext and Frappe Framework

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65267

CVE-2024-32641 - Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution via the addParam function, allowing an unauthenticated attacker to execute arbitrary code.

Product: Masa CMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32641

CVE-2025-66032 - Claude Code, an agentic coding tool, prior to version 1.0.93, allowed for arbitrary code execution by bypassing read-only validation, fixed in the latest update.

Product: Anthropic Claude_Code

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66032

NVD References: https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3

CVE-2025-66208 - Collabora Online - Built-in CODE Server prior to version 25.04.702 is vulnerable to Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy, putting users of Nextcloud with the app at risk.

Product: Collabora Online

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66208

CVE-2025-66222 - DeepChat is vulnerable to Stored Cross-Site Scripting (XSS) which can be escalated to Remote Code Execution (RCE) through the Electron IPC bridge.

Product: DeepChat

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66222

CVE-2025-66481 - DeepChat is vulnerable to XSS attacks through improperly sanitized Mermaid content, with a recent security patch being insufficient and allowing for Remote Code Execution via electron.ipcRenderer interface.

Product: DeepChat

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66481

CVE-2025-64055 - Fanvil x210 V2 2.12.20 is vulnerable to an authentication bypass, enabling unauthenticated attackers on the local network to access administrative functions of the device.

Product: Fanvil x210

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64055

CVE-2025-64054 - Fanvil x210 2.12.20 devices are susceptible to reflected Cross Site Scripting (XSS) attacks, permitting attackers to execute commands or launch denial of service attacks.

Product: Fanvil x210

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64054

CVE-2025-65868 - EyouCMS v1.7.1 is vulnerable to XML external entity (XXE) injection, enabling remote attackers to cause a denial of service with a specially crafted POST request body.

Product: EyouCMS

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65868

CVE-2024-45538 - Synology DiskStation Manager (DSM) and Synology Unified Controller (DSMUC) are vulnerable to CSRF attacks, allowing remote attackers to execute arbitrary code.

Product: Synology Diskstation_Manager_Unified_Controller

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45538

NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_24_27

CVE-2025-53963 - Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices are vulnerable to root code execution due to a weak default password for the root account on an accessible SSH server.

Product: Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53963

NVD References:

- https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf

- https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf

CVE-2025-54303 - The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials stored as fixtures for the Django ORM API, allowing an attacker to authenticate with administrative privileges using the ionadmin user account and password ionadmin.

Product: Thermo Fisher Torrent Suite Django application

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54303

NVD References:

- https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf

- https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf

CVE-2025-54304 - Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices have a vulnerability that allows unauthorized access and potential execution of code due to an exposed X11 display server.

Product: Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54304

NVD References:

- https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf

- https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf

CVE-2025-65346 - Alexusmai Laravel-File-Manager 3.3.1 and below is vulnerable to Directory Traversal, allowing archive contents to be written to arbitrary locations on the filesystem.

Product: alexusmai Laravel-File-Manager

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65346

CVE-2025-63362 - Waveshare RS232/485 TO WIFI ETH (B) allows attackers to bypass authentication by setting blank Administrator password and username values.

Product: Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63362

CVE-2025-29268 - ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library.

Product: ALLNET ALL-RUT22GW

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29268

CVE-2025-29269 - ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint.

Product: ALLNET ALL-RUT22GW

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29269

CVE-2025-66570 - cpp-httplib prior to 0.27.0 allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions.

Product: cpp-httplib C++11 single-file header-only cross platform HTTP/HTTPS library

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66570

CVE-2025-27019 - Infinera MTC-9 version R22.1.1.0275 allows an attacker to gain system access by exploiting password-less user accounts and activating a reverse shell.

Product: Infinera MTC-9

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27019

NVD References: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27019

CVE-2025-27020 - Infinera MTC-9 is vulnerable to an unauthenticated attacker exploiting an improperly configured SSH service to execute arbitrary commands and access file system data.

Product: Infinera MTC-9

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27020

NVD References: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27020

CVE-2025-61318 - Emlog Pro 2.5.20 is vulnerable to arbitrary file deletion due to insufficient path verification and code filtering in the admin templates and plugins components.

Product: Emlog

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61318

CVE-2025-48626 - The vulnerable product allows for remote privilege escalation without additional execution privileges, as a result of a precondition check failure allowing for background application launch.

Product: Google Android

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48626

NVD References: https://source.android.com/security/bulletin/2025-12-01

CVE-2025-64081 - SourceCodester Patients Waiting Area Queue Management System v1 is vulnerable to SQL injection through the appointmentID parameter in /php/api_patient_schedule.php, allowing for the execution of arbitrary SQL commands by attackers.

Product: Pamzey Patients_Waiting_Area_Queue_Management_System 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64081

CVE-2025-10573 - Ivanti Endpoint Manager is vulnerable to Stored XSS attacks allowing remote unauthenticated attackers to execute arbitrary JavaScript in an administrator session with user interaction.

Product: Ivanti Endpoint Manager

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10573

NVD References: https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024

CVE-2025-11022 - Panilux is vulnerable to CSRF attacks, allowing for unauthorized Cross-Site Request Forgery.

Product: Panilux

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11022

CVE-2025-12504 - TalentSoft Software UNIS is vulnerable to SQL Injection through improper neutralization of special elements before version 42321.

Product: TalentSoft Software UNIS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12504

CVE-2025-42880 - SAP Solution Manager is vulnerable to code injection by authenticated attackers through remote-enabled function modules, potentially granting full system control and severely impacting confidentiality, integrity, and availability.

Product: SAP Solution Manager

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42880

CVE-2025-42928 - SAP jConnect is vulnerable to deserialization attacks that enable high privileged users to execute remote code under specific conditions, posing a significant risk to system security.

Product: SAP jConnect

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42928

CVE-2025-67504 - WBCE CMS versions 1.6.4 and below use non-cryptographically secure password generation, potentially leading to compromised user accounts or privilege escalation.

Product: WBCE CMS

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67504

CVE-2025-54100 - Windows PowerShell allows unauthorized attackers to execute code locally due to improper neutralization of special elements in a command.

Product: Microsoft Windows PowerShell

CVSS Score: 7.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54100

ISC Diary: https://isc.sans.edu/diary/32550

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100

CVE-2025-59718 & CVE-2025-59719 - Fortinet FortiOS, FortiProxy, and FortiSwitchManager have improper cryptographic signature verification vulnerabilities.

Product: Multipler Fortinet Products

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59718

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59719

NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-25-647

CVE-2025-64671 - Copilot is vulnerable to command injection, allowing unauthorized attackers to execute code locally.

Product: Microsoft Copilot

CVSS Score: 8.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64671

ISC Diary: https://isc.sans.edu/diary/32550

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64671

CVE-2025-67489 - The vulnerability in "@vitejs/plugin-rs" allows arbitrary remote code execution on development servers through unsafe dynamic imports in server function APIs, which could lead to data theft or modification.

Product: vitejs plugin-rs

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67489

CVE-2025-67494 - ZITADEL versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability due to treating the x-zitadel-forward-host header as a trusted fallback, allowing data exfiltration and bypassing network-segmentation controls.

Product: ZITADEL Login UI (V2)

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67494

CVE-2025-61808 - ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability allowing for arbitrary code execution by a high privileged attacker without user interaction.

Product: Adobe ColdFusion

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61808

NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html

CVE-2025-61809 - ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are vulnerable to an Improper Input Validation flaw allowing security feature bypass, enabling unauthorized access without user interaction.

Product: Adobe ColdFusion

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61809

NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html

CVE-2025-67506 - PipesHub's vulnerability in versions prior to 0.1.0-beta allows remote attackers to overwrite files or plant malicious code by exploiting a missing authentication issue when converting uploaded files to PDF.

Product: PipesHub Workplace AI platform

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67506

CVE-2025-13542 - The DesignThemes LMS plugin for WordPress allows unauthenticated attackers to achieve Privilege Escalation by registering as administrators.

Product: DesignThemes LMS plugin for WordPress

Active Installations: Unknown. Update to version 1.0.5, or a newer patched version,

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13542

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve

CVE-2025-13486 - The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution through the prepare_form() function, allowing unauthenticated attackers to execute arbitrary code on the server.

Product: WordPress Advanced Custom Fields: Extended plugin

Active Installations: 100,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13486

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9?source=cve

CVE-2025-13342 - The Frontend Admin by DynamiApps plugin for WordPress allows unauthenticated attackers to modify critical WordPress options via crafted form data.

Product: DynamiApps Frontend Admin by DynamiApps plugin

Active Installations: 10,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13342

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/613f2035-3061-429b-b218-83805287e4f3?source=cve

CVE-2025-13390 - The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass due to a weak token generation mechanism, allowing unauthenticated attackers to gain administrative access and achieve full site takeover.

Product: WP Directory Kit WordPress

Active Installations: 3,000+

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13390

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve

CVE-2025-13313 - The CRM Memberships plugin for WordPress is vulnerable to privilege escalation through password reset in versions up to, and including, 2.5, due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action, allowing unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the endpoint.

Product: WordPress CRM Memberships plugin

Active Installations: This plugin has been closed as of December 2, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13313

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/e2837399-c44f-494e-bdc6-f9c6e4e2dc11?source=cve

CVE-2025-12374 - The User Verification plugin for WordPress up to version 2.0.39 allows unauthenticated attackers to bypass authentication and log in as any user with a verified email address by submitting an empty OTP value.

Product: WordPress User Verification plugin

Active Installations: This plugin has been closed as of December 3, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12374

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve

CVE-2025-13377 - The 10Web Booster plugin for WordPress is vulnerable to arbitrary folder deletion by authenticated attackers with Subscriber-level access and above, potentially leading to data loss or denial of service.

Product: 10Web Booster – Website speed optimization plugin for WordPress

Active Installations: 90,000+

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13377

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve

CVE-2025-13613 - The Elated Membership plugin for WordPress up to version 1.2 is vulnerable to Authentication Bypass, allowing unauthenticated attackers to log in as administrative users through improper user verification functions.

Product: Elated Membership plugin for WordPress

Active Installations: Unknown. Update to version 1.3, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13613

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f15dbce4-2e94-4735-b62b-e32d923c51ce?source=cve