SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 25ISSUE 8
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
[Guest Diary] Malware Source Servers: The Threat of Attackers Using Ephemeral Ports as Service Ports to Upload Data
Published: 2025-02-26
Last Updated: 2025-02-26 02:21:53 UTC
by Robin Zaheer, SANS.edu BACS Student (Version: 1)
[This is a Guest Diary by Robin Zaheer, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.]
During my time as an intern with SANS Internet Storm Center, my DShield honeypot has seen a variety of attacks that prove to be interesting case studies. Most commonly, I have seen thousands upon thousands of password guessing attacks, for which the ISC provides a nifty webpage that displays the top source IPs, usernames, and passwords used in said attacks observed by my honeypot for SSH/Telnet. Here is a snapshot of that page ...
These attacks are most certainly worth studying, but I think the attacks that occur after the attackers succeed in their password guessing draw my interest the most. After all, attacker behavior is most easily studied when they are given the access necessary to attempt what they mean to do within a target system. The attack I wish to focus on today utilizes a cloud IP that has remained undetected by malicious IP identifiers. It started with the following password guessing attack ...
Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Malware+Source+Servers+The+Threat+of+Attackers+Using+Ephemeral+Ports+as+Service+Ports+to+Upload+Data/31710/
Using ES|QL in Kibana to Queries DShield Honeypot Logs
Published: 2025-02-20
Last Updated: 2025-02-20 02:06:46 UTC
by Guy Bruneau (Version: 1)
With the Elastic released of version 8.17.0, it included "The technical preview of new MATCH and query string (QSTR) functions in ES|QL makes log searches easier and more intuitive." With this released, I started exploring some of the many options available with ES|QL in Kibana, enabled by default, to do various types of queries to quickly summarize data, outside of the default or custom dashboards.
To illustrate this, I will show two different queries, one with user.name and one with source actor IP addresses. While writing the query, you will notice after you include the pipe (|), a list of possible ES|QL field options will appear, refer to this reference for ES|QL language.
This is an example of a simple strategy where the only field selected is the user.name stored in the Elasticsearch cowrie table. In this example, the output is limited by time and up to 1000 rows. By adding | LIMIT 10 to the end of the query, the output would only show the TOP 10 vs. up to 1000 ...
Read the full entry: https://isc.sans.edu/diary/Using+ESQL+in+Kibana+to+Queries+DShield+Honeypot+Logs/31704/
Internet Storm Center Entries
Unfurl v2025.02 released (2025.02.24)
https://isc.sans.edu/diary/Unfurl+v202502+released/31716/
Wireshark 4.4.4 Released (2025.02.23)
https://isc.sans.edu/diary/Wireshark+444+Released/31712/
Tool update: sigs.py - added check mode (2025.02.21)
https://isc.sans.edu/diary/Tool+update+sigspy+added+check+mode/31706/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2025-26794 - Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
Product: Exim
CVSS Score: 7.5
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26794
ISC Podcast: https://isc.sans.edu/podcastdetail/9338
NVD References:
- https://bugzilla.suse.com/show_bug.cgi?id=1237424
- https://code.exim.org/exim/exim/commit/bfe32b5c6ea033736a26da8421513206db9fe305
- https://github.com/Exim/exim/wiki/EximSecurity
- https://github.com/NixOS/nixpkgs/pull/383926
- https://github.com/openbsd/ports/commit/584d2c49addce9ca0ae67882cc16969104d7f82d
- https://www.exim.org/static/doc/security/CVE-2025-26794.txt
- http://www.openwall.com/lists/oss-security/2025/02/19/1
CVE-2025-24989 - Power Pages has an improper access control vulnerability that could allow unauthorized attackers to elevate privileges over a network.
Product: Microsoft Power Pages
CVSS Score: 8.2
** KEV since 2025-02-21 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24989
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989
CVE-2023-34192 - Zimbra ZCS v.8.8.15 is vulnerable to cross-site scripting, enabling remote authenticated attackers to execute arbitrary code by manipulating a script in the /h/autoSaveDraft function.
Product: Zimbra Collaboration 8.8.15
CVSS Score: 0
** KEV since 2025-02-25 **
CVE-2017-3066 - Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier are vulnerable to a Java deserialization flaw in Apache BlazeDS library, allowing for potential arbitrary code execution.
Product: Adobe Coldfusion 2016
CVSS Score: 0
** KEV since 2025-02-24 **
CVE-2025-1023 - ChurchCRM 5.13.0 and prior is vulnerable to a time-based blind SQL Injection in the EditEventTypes functionality, allowing attackers to execute arbitrary SQL queries and potentially modify or delete data.
Product: ChurchCRM
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1023
NVD References: https://github.com/ChurchCRM/CRM/issues/7246
CVE-2024-57045 - The D-Link DIR-859 router with firmware version A3 1.05 and earlier allows unauthorized access through a post request to the / getcfg.php page.
Product: D-Link DIR-859 Router
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57045
NVD References:
CVE-2024-57049 - TP-Link Archer c20 router with firmware version V6.6_230412 and earlier allows unauthorized users to bypass authentication in certain /cgi interfaces by adding "Referer: http://tplinkwifi.net" to the request.
Product: TP-Link Archer
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57049
NVD References: https://github.com/Shuanunio/CVE_Requests/blob/main/TP-Link/archer%20c20/ACL%20bypass%20Vulnerability%20in%20TP-Link%20archer%20c20.md
CVE-2024-57050 - TP-Link WR840N v6 router with firmware version 0.9.1 4.16 and earlier allows unauthorized bypass of authentication in specific /cgi interfaces by adding Referer: http://tplinkwifi.net to the request.
Product: TP-Link WR840N
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57050
NVD References: https://github.com/Shuanunio/CVE_Requests/blob/main/TP-Link/WR840N%20v6/ACL%20bypass%20Vulnerability%20in%20TP-Link%20TL-WR840N.md
CVE-2024-39327 - Atos Eviden IDRA before version 2.6.1 has an Incorrect Access Control vulnerability that could lead to unauthorized access to CA signing capabilities.
Product: Atos Eviden IDRA
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39327
NVD References:
- https://eviden.com/solutions/digital-security/digital-identity/
-
cve-2024-39327 - cve-2024-39328-
CVE-2024-55460 - BoardRoom Limited Dividend Distribution Tax Election System Version v2.0 is vulnerable to a time-based SQL injection on its login page, enabling attackers to execute code by manipulating input.
Product: BoardRoom Limited Dividend Distribution Tax Election System Version v2.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55460NVD References: - https://github.com/Ap0k4L1p5/CVE-research/tree/master/CVE-2024-55460- https://sgsrs.boardroomlimited.com/taxelection/login.aspxCVE-2022-41545 - Netgear C7800 Router running firmware version 6.01.07 is vulnerable to eavesdropping on administrative credentials due to its use of basic authentication without transport security, allowing adversaries to intercept plaintext usernames and passwords during authenticated requests.Product: Netgear C7800 RouterCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41545NVD References: - https://seclists.org/fulldisclosure/2025/Feb/12- https://www.netgear.com/about/security/- https://www.netgear.com/images/datasheet/networking/cablemodems/C7800.pdf- http://seclists.org/fulldisclosure/2025/Feb/12CVE-2025-24894 - SPID.AspNetCore.Authentication is vulnerable to an arbitrary SAML response injection issue, allowing attackers to impersonate any Spid and/or CIE user unless upgraded to version 3.4.0.Product: SPID AspNetCore Remote AuthenticatorCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24894NVD References: https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vwCVE-2025-24895 - CIE.AspNetCore.Authentication is vulnerable to arbitrary SAML response injection by attackers, allowing impersonation of Spid and/or CIE users until version 2.1.0 is installed.Product: CIE AspNetCore AuthenticationCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24895NVD References: https://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486CVE-2024-56000 - Incorrect Privilege Assignment vulnerability in SeventhQueen K Elements allows Privilege Escalation.This issue affects K Elements: from n/a before 5.4.0.Product: SeventhQueen K ElementsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56000NVD References: - https://patchstack.com/articles/critical-privilege-escalation-patched-in-kleo-themes-plugin?_s_id=cve- https://patchstack.com/database/wordpress/plugin/k-elements/vulnerability/wordpress-k-elements-plugin-5-2-0-unauthenticated-account-takeover-vulnerability?_s_id=cve- https://themeforest.net/item/kleo-pro-community-focused-multipurpose-buddypress-theme/6776630?_s_id=cveCVE-2025-22654 - Kodeshpa Simplified is vulnerable to an Unrestricted Upload of File with Dangerous Type issue, allowing attackers to upload malicious files, affecting versions up to 1.0.6.Product: Kodeshpa SimplifiedCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22654NVD References: https://patchstack.com/database/wordpress/plugin/simplified/vulnerability/wordpress-simplified-plugin-plugin-1-0-6-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2025-26615 - WeGIA's `examples.php` endpoint has a Path Traversal vulnerability that could lead to unauthorized access to sensitive information in `config.php`.Product: WeGIA Web Manager for InstitutionsCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26615NVD References: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-p5wx-pv8j-f96hCVE-2025-25467 - Libx264 git master is vulnerable to arbitrary code execution due to insufficient tracking and releasing of allocated memory in AAC file parsing.Product: VideoLAN libx264 CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25467NVD References: https://code.videolan.org/videolan/x264/-/issues/75CVE-2020-35546 - Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings.Product: Lexmark MX6500CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-35546NVD References: - http://support.lexmark.com- https://publications.lexmark.com/publications/security-alerts/CVE-2020-35546.pdfCVE-2023-46271 - "Extreme Networks IQ Engine version before 10.6r1a has a buffer overflow vulnerability due to the ah_webui service on TCP port 3009."Product: Extreme Networks IQ EngineCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46271NVD References: - https://extreme-networks.my.site.com/ExtrArticleDetail?an=000115354&q=CVE-2023-46271- https://extremenetworks.com- https://www.zerodayinitiative.com/advisories/ZDI-23-1766/CVE-2024-37361 - Hitachi Vantara Pentaho Business Analytics Server deserializes untrusted JSON data without proper validation, leading to potential unauthorized actions by attackers.Product: Hitachi Vantara Pentaho Business Analytics ServerCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37361NVD References: https://support.pentaho.com/hc/en-us/articles/34299135441805--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37361CVE-2024-57401 - Uniclare Student portal v.2 and before is vulnerable to SQL Injection, allowing remote attackers to execute arbi…
CVE-2022-41545 - Netgear C7800 Router running firmware version 6.01.07 is vulnerable to eavesdropping on administrative credentials due to its use of basic authentication without transport security, allowing adversaries to intercept plaintext usernames and passwords during authenticated requests.
Product: Netgear C7800 Router
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41545
NVD References:
- https://seclists.org/fulldisclosure/2025/Feb/12
- https://www.netgear.com/about/security/
- https://www.netgear.com/images/datasheet/networking/cablemodems/C7800.pdf
CVE-2025-24894 - SPID.AspNetCore.Authentication is vulnerable to an arbitrary SAML response injection issue, allowing attackers to impersonate any Spid and/or CIE user unless upgraded to version 3.4.0.
Product: SPID AspNetCore Remote Authenticator
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24894
NVD References: https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw
CVE-2025-24895 - CIE.AspNetCore.Authentication is vulnerable to arbitrary SAML response injection by attackers, allowing impersonation of Spid and/or CIE users until version 2.1.0 is installed.
Product: CIE AspNetCore Authentication
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24895
NVD References: https://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486
CVE-2024-56000 - Incorrect Privilege Assignment vulnerability in SeventhQueen K Elements allows Privilege Escalation.This issue affects K Elements: from n/a before 5.4.0.
Product: SeventhQueen K Elements
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56000
NVD References:
CVE-2025-22654 - Kodeshpa Simplified is vulnerable to an Unrestricted Upload of File with Dangerous Type issue, allowing attackers to upload malicious files, affecting versions up to 1.0.6.
CVE-2025-26615 - WeGIA's `examples.php` endpoint has a Path Traversal vulnerability that could lead to unauthorized access to sensitive information in `config.php`.
Product: WeGIA Web Manager for Institutions
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26615
NVD References: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-p5wx-pv8j-f96h
CVE-2025-25467 - Libx264 git master is vulnerable to arbitrary code execution due to insufficient tracking and releasing of allocated memory in AAC file parsing.
Product: VideoLAN libx264
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25467
NVD References: https://code.videolan.org/videolan/x264/-/issues/75
CVE-2020-35546 - Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings.
Product: Lexmark MX6500
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-35546
NVD References:
- https://publications.lexmark.com/publications/security-alerts/CVE-2020-35546.pdf
CVE-2023-46271 - "Extreme Networks IQ Engine version before 10.6r1a has a buffer overflow vulnerability due to the ah_webui service on TCP port 3009."
Product: Extreme Networks IQ EngineCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46271NVD References: - https://extreme-networks.my.site.com/ExtrArticleDetail?an=000115354&q=CVE-2023-46271- https://extremenetworks.com- https://www.zerodayinitiative.com/advisories/ZDI-23-1766/CVE-2024-37361 - Hitachi Vantara Pentaho Business Analytics Server deserializes untrusted JSON data without proper validation, leading to potential unauthorized actions by attackers.Product: Hitachi Vantara Pentaho Business Analytics ServerCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37361NVD References: https://support.pentaho.com/hc/en-us/articles/34299135441805--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37361CVE-2024-57401 - Uniclare Student portal v.2 and before is vulnerable to SQL Injection, allowing remote attackers to execute arbitrary code through the Forgot Password feature.Product: Uniclare Student portalCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57401NVD References: https://github.com/aksingh82/CVE-2024-57401NVD References: https://studentportal.universitysolutions.in/CVE-2025-20059 - Ping Identity PingAM Java Policy Agent is vulnerable to Relative Path Traversal allowing for Parameter Injection up to the versions 5.10.3, 2023.11.1, and 2024.9.Product: Ping Identity PingAM Java Policy AgentCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20059NVD References: https://backstage.forgerock.com/knowledge/advisories/article/a61848355CVE-2025-1265 - Vinci Protocol Analyzer is vulnerable to OS command injection, enabling attackers to gain elevated privileges and execute malicious code on the system.Product: Vinci Protocol AnalyzerCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1265NVD References: - https://elseta.com/support/- https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-06CVE-2025-24893 - XWiki Platform is vulnerable to arbitrary remote code execution through a request to `SolrSearch`, impacting the confidentiality, integrity, and availability of the installation.Product: XWiki PlatformCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24893NVD References: - https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955- https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824- https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j- https://jira.xwiki.org/browse/XWIKI-22149CVE-2024-54756 - ZDoom Team GZDoom v4.13.1 is vulnerable to remote code execution via a crafted PK3 file.Product: ZDoom Team GZDoomCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54756NVD References: - https://github.com/Chainmanner/GZDoom-Arbitrary-Code-Execution-via-ZScript-PoC- https://seclists.org/fulldisclosure/2025/Feb/11- http://seclists.org/fulldisclosure/2025/Feb/11- https://github.com/Chainmanner/GZDoom-Arbitrary-Code-Execution-via-ZScript-PoCCVE-2025-25662 - Tenda O4 V3.0 V1.0.0.10(2936) is vulnerable to Buffer Overflow in the function SafeSetMacFilter of the file /goform/setMacFilterList.Product: Tenda O4 V3.0 V1.0.0.10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25662NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/O4V3/setMacFilterList.mdCVE-2025-25663 - Tenda AC8V4 V16.03.34.06 is vulnerable to a stack-based buffer overflow in the wpapsk_crypto argument of function SUB_0046AC38 in the file /goform/WifiExtraSet.Product: Tenda AC8V4CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25663NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/WifiExtraSet.mdCVE-2025-25664 - Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_49E098 function.Product: Tenda AC8CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25664NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/SetIpMacBind.mdCVE-2025-25667 - Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.Product: Tenda AC8V4CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25667NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/saveParentControlInfo.mdCVE-2025-25668 - Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_47D878 function.Product: Tenda AC8V4CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25668NVD References:…
CVE-2024-37361 - Hitachi Vantara Pentaho Business Analytics Server deserializes untrusted JSON data without proper validation, leading to potential unauthorized actions by attackers.
Product: Hitachi Vantara Pentaho Business Analytics Server
CVSS Score: 9.9
CVE-2024-57401 - Uniclare Student portal v.2 and before is vulnerable to SQL Injection, allowing remote attackers to execute arbitrary code through the Forgot Password feature.
Product: Uniclare Student portal
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57401
NVD References: https://github.com/aksingh82/CVE-2024-57401
NVD References: https://studentportal.universitysolutions.in/
CVE-2025-20059 - Ping Identity PingAM Java Policy Agent is vulnerable to Relative Path Traversal allowing for Parameter Injection up to the versions 5.10.3, 2023.11.1, and 2024.9.
Product: Ping Identity PingAM Java Policy Agent
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20059
NVD References: https://backstage.forgerock.com/knowledge/advisories/article/a61848355
CVE-2025-1265 - Vinci Protocol Analyzer is vulnerable to OS command injection, enabling attackers to gain elevated privileges and execute malicious code on the system.
Product: Vinci Protocol Analyzer
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1265
NVD References:
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-06
CVE-2025-24893 - XWiki Platform is vulnerable to arbitrary remote code execution through a request to `SolrSearch`, impacting the confidentiality, integrity, and availability of the installation.
Product: XWiki Platform
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24893
NVD References:
- https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j
CVE-2024-54756 - ZDoom Team GZDoom v4.13.1 is vulnerable to remote code execution via a crafted PK3 file.
Product: ZDoom Team GZDoom
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54756
NVD References:
- https://github.com/Chainmanner/GZDoom-Arbitrary-Code-Execution-via-ZScript-PoC
- https://seclists.org/fulldisclosure/2025/Feb/11
- http://seclists.org/fulldisclosure/2025/Feb/11
- https://github.com/Chainmanner/GZDoom-Arbitrary-Code-Execution-via-ZScript-PoC
CVE-2025-25662 - Tenda O4 V3.0 V1.0.0.10(2936) is vulnerable to Buffer Overflow in the function SafeSetMacFilter of the file /goform/setMacFilterList.
Product: Tenda O4 V3.0 V1.0.0.10
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25662
NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/O4V3/setMacFilterList.md
CVE-2025-25663 - Tenda AC8V4 V16.03.34.06 is vulnerable to a stack-based buffer overflow in the wpapsk_crypto argument of function SUB_0046AC38 in the file /goform/WifiExtraSet.
Product: Tenda AC8V4
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25663
NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/WifiExtraSet.md
CVE-2025-25664 - Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_49E098 function.
Product: Tenda AC8
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25664
NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/SetIpMacBind.md
CVE-2025-25667 - Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.
Product: Tenda AC8V4
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25667
NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/saveParentControlInfo.md
CVE-2025-25668 - Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_47D878 function.
Product: Tenda AC8V4
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25668
NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/setMacFilterCfg.md
CVE-2025-25674 - Tenda AC10 V1.0 V15.03.06.23 is vulnerable to Buffer Overflow in form_fast_setting_wifi_set via the parameter ssid.
Product: Tenda AC10
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25674
NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC10V1/fast_setting_wifi_set.md
CVE-2025-25675 - Tenda AC10 V1.0 V15.03.06.23 is vulnerable to command injection through the formexeCommand function, allowing arbitrary command execution.
Product: Tenda AC10
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25675
NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC10V1/formexeCommand.md
CVE-2025-25676 - Tenda i12 V1.0.0.10(3805) was discovered to contain a buffer overflow via the list parameter in the formwrlSSIDset function.
Product: Tenda i12
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25676
NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/i12V1/wifiSSIDget.md
CVE-2025-25678 - Tenda i12 V1.0.0.10(3805) was discovered to contain a buffer overflow via the funcpara1 parameter in the formSetCfm function.
Product: Tenda i12
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25678
NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/i12V1/setcfm.md
CVE-2025-27105 - Vyper's AugAssign statements vulnerability in handling DynArray access has been addressed in version 0.4.1 with no known workarounds available.
Product: Vyper
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27105
NVD References: https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp
CVE-2025-20051 - Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 have a vulnerability that allows a user to read any arbitrary file on the system by duplicating a specially crafted block in Boards.
Product: Mattermost
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20051
NVD References: https://mattermost.com/security-updates
CVE-2025-24490 - Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 are vulnerable to SQL injection during boards reordering, potentially exposing database data.
Product: Mattermost
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24490
NVD References: https://mattermost.com/security-updates
CVE-2025-25279 - Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 are vulnerable to improper validation of board blocks during board imports, enabling attackers to read any file on the system via specially crafted import archives in Boards.
Product: Mattermost
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25279
NVD References: https://mattermost.com/security-updates
CVE-2025-26201 - GreaterWMS <= 2.1.49 is vulnerable to credential disclosure via the /staff route, allowing unauthenticated remote attackers to bypass authentication and escalate privileges.
Product: GreaterWMS
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26201
NVD References:
- https://github.com/Elymaro/CVE/blob/main/GreaterWMS/CVE-2025-26201.md
CVE-2024-54820 - XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 is vulnerable to SQL injection on the login page, enabling attackers to extract all usernames and passwords.
Product: XOne Web Monitor
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54820
NVD References:
- https://github.com/jcarabantes/CVE-2024-54820
- https://github.com/jcarabantes/CVE-2024-54820
CVE-2025-27364 - MITRE Caldera is vulnerable to remote code execution via a crafted web request to the server API.
Product: MITRE Caldera
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27364
NVD References:
- https://github.com/mitre/caldera/commit/35bc06e42e19fe7efbc008999b9f993b1b7109c0
- https://github.com/mitre/caldera/pull/3129
- https://github.com/mitre/caldera/pull/3131/commits/61de40f92a595bed462372a5e676c2e5a32d1050
- https://github.com/mitre/caldera/releases
- https://github.com/mitre/caldera/security
CVE-2025-1492 - Wireshark versions 4.4.0 to 4.4.3 and 4.2.0 to 4.2.10 are vulnerable to denial of service attacks through packet injection or crafted capture files due to crashes in the Bundle Protocol and CBOR dissectors.
Product: Wireshark
CVSS Score: 7.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1492
ISC Diary: https://isc.sans.edu/diary/31712
NVD References:
- https://gitlab.com/wireshark/wireshark/-/issues/20373
- https://www.wireshark.org/security/wnpa-sec-2025-01.html
CVE-2024-13725 - The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter, allowing unauthenticated attackers to include PHP files on the server and potentially execute code.
Product: Keap Official Opt In Forms
Active Installations: 2,000+. This plugin has been closed as of February 20, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13725
NVD References:
- https://wordpress.org/plugins/infusionsoft-official-opt-in-forms/
CVE-2024-12860 - The CarSpot – Dealership Wordpress Classified Theme for WordPress allows unauthenticated attackers to escalate privileges through account takeover by changing arbitrary user passwords up to version 2.4.3.
Product: Carspot Project
Active Installations: Update to version 2.4.3 or later
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12860
NVD References:
- https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539
CVE-2024-13789 - The ravage plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input, potentially allowing unauthenticated attackers to inject a PHP Object.
Product: ravpage plugin
Active Installations: This plugin has been closed as of February 19, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13789
NVD References:
- https://plugins.trac.wordpress.org/browser/ravpage/trunk/ravpage.php#L24
CVE-2025-26763 - MetaSlider Responsive Slider by MetaSlider is vulnerable to object injection through untrusted data deserialization (versions n/a through 3.94.0).
Product: MetaSlider Responsive Slider
Active Installations: 600,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26763
CVE-2025-26776 - Chaty Pro allows unrestricted upload of dangerous file types, allowing for potential upload of a web shell onto a web server, affecting versions n/a through 3.3.3.
Product: Chaty Pro
Active Installations: 300,000+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26776
The following vulnerability needs a manual review:
CVE-2025-21589 - An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device.
Product: Juniper Session Smart Router, Session Smart Conductor, WAN Assurance Managed Router
CVSS Scores: CVSS: v3.1: 9.8; CVSS: v4.0: 9.3
** KEV since 20xx-xx-xx **
NVD: N/A
ISC Podcast: https://isc.sans.edu/podcastdetail/9330
CVE-2025-27364 - MITRE Caldera is vulnerable to remote code execution via a crafted web request to the server API.
Product: MITRE Caldera
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27364
NVD References:
- https://github.com/mitre/caldera/commit/35bc06e42e19fe7efbc008999b9f993b1b7109c0
- https://github.com/mitre/caldera/pull/3129
- https://github.com/mitre/caldera/pull/3131/commits/61de40f92a595bed462372a5e676c2e5a32d1050
- https://github.com/mitre/caldera/releases
- https://github.com/mitre/caldera/security
CVE-2025-1492 - Wireshark versions 4.4.0 to 4.4.3 and 4.2.0 to 4.2.10 are vulnerable to denial of service attacks through packet injection or crafted capture files due to crashes in the Bundle Protocol and CBOR dissectors.
Product: Wireshark
CVSS Score: 7.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1492
ISC Diary: https://isc.sans.edu/diary/31712
NVD References:
- https://gitlab.com/wireshark/wireshark/-/issues/20373
- https://www.wireshark.org/security/wnpa-sec-2025-01.html
CVE-2024-13725 - The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter, allowing unauthenticated attackers to include PHP files on the server and potentially execute code.
Product: Keap Official Opt In Forms
Active Installations: 2,000+. This plugin has been closed as of February 20, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13725
NVD References:
- https://wordpress.org/plugins/infusionsoft-official-opt-in-forms/
CVE-2024-12860 - The CarSpot – Dealership Wordpress Classified Theme for WordPress allows unauthenticated attackers to escalate privileges through account takeover by changing arbitrary user passwords up to version 2.4.3.
Product: Carspot Project
Active Installations: Update to version 2.4.3 or later
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12860
NVD References:
- https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539
CVE-2024-13789 - The ravage plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input, potentially allowing unauthenticated attackers to inject a PHP Object.
Product: ravpage plugin
Active Installations: This plugin has been closed as of February 19, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13789
NVD References:
- https://plugins.trac.wordpress.org/browser/ravpage/trunk/ravpage.php#L24
CVE-2025-26763 - MetaSlider Responsive Slider by MetaSlider is vulnerable to object injection through untrusted data deserialization (versions n/a through 3.94.0).
Product: MetaSlider Responsive Slider
Active Installations: 600,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26763
CVE-2025-26776 - Chaty Pro allows unrestricted upload of dangerous file types, allowing for potential upload of a web shell onto a web server, affecting versions n/a through 3.3.3.
Product: Chaty Pro
Active Installations: 300,000+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26776
The following vulnerability needs a manual review:
CVE-2025-21589 - An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device.
Product: Juniper Session Smart Router, Session Smart Conductor, WAN Assurance Managed Router
CVSS Scores: CVSS: v3.1: 9.8; CVSS: v4.0: 9.3
** KEV since 20xx-xx-xx **
NVD: N/A
ISC Podcast: https://isc.sans.edu/podcastdetail/9330
cve-2025-27364 - 5f679e2e2a0e
CVE-2025-1492 - Wireshark versions 4.4.0 to 4.4.3 and 4.2.0 to 4.2.10 are vulnerable to denial of service attacks through packet injection or crafted capture files due to crashes in the Bundle Protocol and CBOR dissectors.
Product: Wireshark
CVSS Score: 7.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1492
ISC Diary: https://isc.sans.edu/diary/31712
NVD References:
CVE-2024-13725 - The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter, allowing unauthenticated attackers to include PHP files on the server and potentially execute code.
Product: Keap Official Opt In Forms
Active Installations: 2,000+. This plugin has been closed as of February 20, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13725
NVD References:
- https://wordpress.org/plugins/infusionsoft-official-opt-in-forms/
CVE-2024-12860 - The CarSpot – Dealership Wordpress Classified Theme for WordPress allows unauthenticated attackers to escalate privileges through account takeover by changing arbitrary user passwords up to version 2.4.3.
Product: Carspot Project
Active Installations: Update to version 2.4.3 or later
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12860
NVD References:
- https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539
CVE-2024-13789 - The ravage plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input, potentially allowing unauthenticated attackers to inject a PHP Object.
Product: ravpage plugin
Active Installations: This plugin has been closed as of February 19, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13789
NVD References:
- https://plugins.trac.wordpress.org/browser/ravpage/trunk/ravpage.php#L24
CVE-2025-26763 - MetaSlider Responsive Slider by MetaSlider is vulnerable to object injection through untrusted data deserialization (versions n/a through 3.94.0).
Product: MetaSlider Responsive Slider
Active Installations: 600,000+
CVSS Score: 9.8
CVE-2025-26776 - Chaty Pro allows unrestricted upload of dangerous file types, allowing for potential upload of a web shell onto a web server, affecting versions n/a through 3.3.3.
Product: Chaty Pro
Active Installations: 300,000+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26776
The following vulnerability needs a manual review:
CVE-2025-21589 - An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device.
Product: Juniper Session Smart Router, Session Smart Conductor, WAN Assurance Managed Router
CVSS Scores: CVSS: v3.1: 9.8; CVSS: v4.0: 9.3
** KEV since 20xx-xx-xx **
NVD: N/A
ISC Podcast: https://isc.sans.edu/podcastdetail/9330
Sponsors
SANS
Survey | 2025 SANS CTI Survey: Navigating Uncertainty in Today’s Threat Landscape | This year’s report will explore: How CTI can help prepare organizations for unpredictable events, how CTI practices are being shaped, how automation and engineering are supporting CTI operations, the role of AI in cybersecurity, and how CTI teams plan their CTI programs. SANS wants to hear from you! Complete the survey by March 27 for a chance to win one of four $100 Amazon gift cards.
SANS
Survey | 2025 SANS CTI Survey: Navigating Uncertainty in Today’s Threat Landscape | This year’s report will explore: How CTI can help prepare organizations for unpredictable events, how CTI practices are being shaped, how automation and engineering are supporting CTI operations, the role of AI in cybersecurity, and how CTI teams plan their CTI programs. SANS wants to hear from you! Complete the survey by March 27 for a chance to win one of four $100 Amazon gift cards.
Microsoft
Webcast | Securing the Future with Microsoft Defender for Cloud: Best Practices and Insights | March 26, 1:00 ET | Join Dave Shackleford, and Microsoft’s Dick Lake, as they explore practical approaches to securing cloud environments. Gain a deeper understanding of key areas such as cloud security posture management, DevOps security, and detection and response strategies—all tailored to help you future-proof your organization in an ever-changing threat landscape. Save your seat today.
OPSWAT
Webcast: March 4 at 1:00 ET | 2025 ICS Security Budget vs. Modern Risk Webcast: Optimizing Cybersecurity Investments for ICS/OT and Critical Infrastructure | Join Dean Parsons as he explores actionable insights into balancing security budgets with the unique needs and risks of ICS/OT systems in the face of escalating cyber threats.