Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

[Guest Diary] Malware Source Servers: The Threat of Attackers Using Ephemeral Ports as Service Ports to Upload Data

Published: 2025-02-26

Last Updated: 2025-02-26 02:21:53 UTC

by Robin Zaheer, SANS.edu BACS Student (Version: 1)

[This is a Guest Diary by Robin Zaheer, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.]

During my time as an intern with SANS Internet Storm Center, my DShield honeypot has seen a variety of attacks that prove to be interesting case studies. Most commonly, I have seen thousands upon thousands of password guessing attacks, for which the ISC provides a nifty webpage that displays the top source IPs, usernames, and passwords used in said attacks observed by my honeypot for SSH/Telnet. Here is a snapshot of that page ...

These attacks are most certainly worth studying, but I think the attacks that occur after the attackers succeed in their password guessing draw my interest the most. After all, attacker behavior is most easily studied when they are given the access necessary to attempt what they mean to do within a target system. The attack I wish to focus on today utilizes a cloud IP that has remained undetected by malicious IP identifiers. It started with the following password guessing attack ...

Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Malware+Source+Servers+The+Threat+of+Attackers+Using+Ephemeral+Ports+as+Service+Ports+to+Upload+Data/31710/

Using ES|QL in Kibana to Queries DShield Honeypot Logs

Published: 2025-02-20

Last Updated: 2025-02-20 02:06:46 UTC

by Guy Bruneau (Version: 1)

With the Elastic released of version 8.17.0, it included "The technical preview of new MATCH and query string (QSTR) functions in ES|QL makes log searches easier and more intuitive." With this released, I started exploring some of the many options available with ES|QL in Kibana, enabled by default, to do various types of queries to quickly summarize data, outside of the default or custom dashboards.

To illustrate this, I will show two different queries, one with user.name and one with source actor IP addresses. While writing the query, you will notice after you include the pipe (|), a list of possible ES|QL field options will appear, refer to this reference for ES|QL language.

This is an example of a simple strategy where the only field selected is the user.name stored in the Elasticsearch cowrie table. In this example, the output is limited by time and up to 1000 rows. By adding | LIMIT 10 to the end of the query, the output would only show the TOP 10 vs. up to 1000 ...

Read the full entry: https://isc.sans.edu/diary/Using+ESQL+in+Kibana+to+Queries+DShield+Honeypot+Logs/31704/

Internet Storm Center Entries


Unfurl v2025.02 released (2025.02.24)

https://isc.sans.edu/diary/Unfurl+v202502+released/31716/

Wireshark 4.4.4 Released (2025.02.23)

https://isc.sans.edu/diary/Wireshark+444+Released/31712/

Tool update: sigs.py - added check mode (2025.02.21)

https://isc.sans.edu/diary/Tool+update+sigspy+added+check+mode/31706/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-26794 - Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.

Product: Exim

CVSS Score: 7.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26794

ISC Podcast: https://isc.sans.edu/podcastdetail/9338

NVD References:

- https://bugzilla.suse.com/show_bug.cgi?id=1237424

- https://code.exim.org/exim/exim/commit/bfe32b5c6ea033736a26da8421513206db9fe305

- https://exim.org

- https://github.com/Exim/exim/wiki/EximSecurity

- https://github.com/NixOS/nixpkgs/pull/383926

- https://github.com/openbsd/ports/commit/584d2c49addce9ca0ae67882cc16969104d7f82d

- https://www.exim.org/static/doc/security/CVE-2025-26794.txt

- http://www.openwall.com/lists/oss-security/2025/02/19/1

- http://www.openwall.com/lists/oss-security/2025/02/21/4

- http://www.openwall.com/lists/oss-security/2025/02/21/5

CVE-2025-24989 - Power Pages has an improper access control vulnerability that could allow unauthorized attackers to elevate privileges over a network.

Product: Microsoft Power Pages

CVSS Score: 8.2

** KEV since 2025-02-21 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24989

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989

CVE-2023-34192 - Zimbra ZCS v.8.8.15 is vulnerable to cross-site scripting, enabling remote authenticated attackers to execute arbitrary code by manipulating a script in the /h/autoSaveDraft function.

Product: Zimbra Collaboration 8.8.15

CVSS Score: 0

** KEV since 2025-02-25 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34192

CVE-2017-3066 - Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier are vulnerable to a Java deserialization flaw in Apache BlazeDS library, allowing for potential arbitrary code execution.

Product: Adobe Coldfusion 2016

CVSS Score: 0

** KEV since 2025-02-24 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-3066

CVE-2025-1023 - ChurchCRM 5.13.0 and prior is vulnerable to a time-based blind SQL Injection in the EditEventTypes functionality, allowing attackers to execute arbitrary SQL queries and potentially modify or delete data.

Product: ChurchCRM

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1023

NVD References: https://github.com/ChurchCRM/CRM/issues/7246

CVE-2024-57045 - The D-Link DIR-859 router with firmware version A3 1.05 and earlier allows unauthorized access through a post request to the / getcfg.php page.

Product: D-Link DIR-859 Router

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57045

NVD References:

- https://github.com/Shuanunio/CVE_Requests/blob/main/D-Link/DIR-859/ACL%20bypass%20Vulnerability%20in%20D-Link%20DIR-859.md

- https://www.dlink.com/en/security-bulletin/

CVE-2024-57049 - TP-Link Archer c20 router with firmware version V6.6_230412 and earlier allows unauthorized users to bypass authentication in certain /cgi interfaces by adding "Referer: http://tplinkwifi.net" to the request.

Product: TP-Link Archer

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57049

NVD References: https://github.com/Shuanunio/CVE_Requests/blob/main/TP-Link/archer%20c20/ACL%20bypass%20Vulnerability%20in%20TP-Link%20archer%20c20.md

CVE-2024-57050 - TP-Link WR840N v6 router with firmware version 0.9.1 4.16 and earlier allows unauthorized bypass of authentication in specific /cgi interfaces by adding Referer: http://tplinkwifi.net to the request.

Product: TP-Link WR840N

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57050

NVD References: https://github.com/Shuanunio/CVE_Requests/blob/main/TP-Link/WR840N%20v6/ACL%20bypass%20Vulnerability%20in%20TP-Link%20TL-WR840N.md

CVE-2024-39327 - Atos Eviden IDRA before version 2.6.1 has an Incorrect Access Control vulnerability that could lead to unauthorized access to CA signing capabilities.

Product: Atos Eviden IDRA

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39327

NVD References:

- https://eviden.com/solutions/digital-security/digital-identity/

- https://support.bull.com/ols/product/security/psirt/security-bulletins/potential-privilege-escalation-in-idpki-psirt-1335-tlp-clear-version-2-10-cve-2024-39327-cve-2024-39328-cve-2024-51505/view

CVE-2024-55460 - BoardRoom Limited Dividend Distribution Tax Election System Version v2.0 is vulnerable to a time-based SQL injection on its login page, enabling attackers to execute code by manipulating input.

Product: BoardRoom Limited Dividend Distribution Tax Election System Version v2.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55460

NVD References:

- https://github.com/Ap0k4L1p5/CVE-research/tree/master/CVE-2024-55460

- https://sgsrs.boardroomlimited.com/taxelection/login.aspx

CVE-2022-41545 - Netgear C7800 Router running firmware version 6.01.07 is vulnerable to eavesdropping on administrative credentials due to its use of basic authentication without transport security, allowing adversaries to intercept plaintext usernames and passwords during authenticated requests.

Product: Netgear C7800 Router

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41545

NVD References:

- https://seclists.org/fulldisclosure/2025/Feb/12

- https://www.netgear.com/about/security/

- https://www.netgear.com/images/datasheet/networking/cablemodems/C7800.pdf

- http://seclists.org/fulldisclosure/2025/Feb/12

CVE-2025-24894 - SPID.AspNetCore.Authentication is vulnerable to an arbitrary SAML response injection issue, allowing attackers to impersonate any Spid and/or CIE user unless upgraded to version 3.4.0.

Product: SPID AspNetCore Remote Authenticator

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24894

NVD References: https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw

CVE-2025-24895 - CIE.AspNetCore.Authentication is vulnerable to arbitrary SAML response injection by attackers, allowing impersonation of Spid and/or CIE users until version 2.1.0 is installed.

Product: CIE AspNetCore Authentication

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24895

NVD References: https://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486

CVE-2024-56000 - Incorrect Privilege Assignment vulnerability in SeventhQueen K Elements allows Privilege Escalation.This issue affects K Elements: from n/a before 5.4.0.

Product: SeventhQueen K Elements

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56000

NVD References:

- https://patchstack.com/articles/critical-privilege-escalation-patched-in-kleo-themes-plugin?_s_id=cve

- https://patchstack.com/database/wordpress/plugin/k-elements/vulnerability/wordpress-k-elements-plugin-5-2-0-unauthenticated-account-takeover-vulnerability?_s_id=cve

- https://themeforest.net/item/kleo-pro-community-focused-multipurpose-buddypress-theme/6776630?_s_id=cve

CVE-2025-22654 - Kodeshpa Simplified is vulnerable to an Unrestricted Upload of File with Dangerous Type issue, allowing attackers to upload malicious files, affecting versions up to 1.0.6.

Product: Kodeshpa Simplified

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22654

NVD References: https://patchstack.com/database/wordpress/plugin/simplified/vulnerability/wordpress-simplified-plugin-plugin-1-0-6-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2025-26615 - WeGIA's `examples.php` endpoint has a Path Traversal vulnerability that could lead to unauthorized access to sensitive information in `config.php`.

Product: WeGIA Web Manager for Institutions

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26615

NVD References: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-p5wx-pv8j-f96h

CVE-2025-25467 - Libx264 git master is vulnerable to arbitrary code execution due to insufficient tracking and releasing of allocated memory in AAC file parsing.

Product: VideoLAN libx264

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25467

NVD References: https://code.videolan.org/videolan/x264/-/issues/75

CVE-2020-35546 - Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings.

Product: Lexmark MX6500

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-35546

NVD References:

- http://support.lexmark.com

- https://publications.lexmark.com/publications/security-alerts/CVE-2020-35546.pdf

CVE-2023-46271 - "Extreme Networks IQ Engine version before 10.6r1a has a buffer overflow vulnerability due to the ah_webui service on TCP port 3009."

Product: Extreme Networks IQ Engine

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46271

NVD References:

- https://extreme-networks.my.site.com/ExtrArticleDetail?an=000115354&q=CVE-2023-46271

- https://extremenetworks.com

- https://www.zerodayinitiative.com/advisories/ZDI-23-1766/

CVE-2024-37361 - Hitachi Vantara Pentaho Business Analytics Server deserializes untrusted JSON data without proper validation, leading to potential unauthorized actions by attackers.

Product: Hitachi Vantara Pentaho Business Analytics Server

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37361

NVD References: https://support.pentaho.com/hc/en-us/articles/34299135441805--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37361

CVE-2024-57401 - Uniclare Student portal v.2 and before is vulnerable to SQL Injection, allowing remote attackers to execute arbitrary code through the Forgot Password feature.

Product: Uniclare Student portal

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57401

NVD References: https://github.com/aksingh82/CVE-2024-57401

NVD References: https://studentportal.universitysolutions.in/

CVE-2025-20059 - Ping Identity PingAM Java Policy Agent is vulnerable to Relative Path Traversal allowing for Parameter Injection up to the versions 5.10.3, 2023.11.1, and 2024.9.

Product: Ping Identity PingAM Java Policy Agent

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20059

NVD References: https://backstage.forgerock.com/knowledge/advisories/article/a61848355

CVE-2025-1265 - Vinci Protocol Analyzer is vulnerable to OS command injection, enabling attackers to gain elevated privileges and execute malicious code on the system.

Product: Vinci Protocol Analyzer

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1265

NVD References:

- https://elseta.com/support/

- https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-06

CVE-2025-24893 - XWiki Platform is vulnerable to arbitrary remote code execution through a request to `SolrSearch`, impacting the confidentiality, integrity, and availability of the installation.

Product: XWiki Platform

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24893

NVD References:

- https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955

- https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824

- https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j

- https://jira.xwiki.org/browse/XWIKI-22149

CVE-2024-54756 - ZDoom Team GZDoom v4.13.1 is vulnerable to remote code execution via a crafted PK3 file.

Product: ZDoom Team GZDoom

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54756

NVD References:

- https://github.com/Chainmanner/GZDoom-Arbitrary-Code-Execution-via-ZScript-PoC

- https://seclists.org/fulldisclosure/2025/Feb/11

- http://seclists.org/fulldisclosure/2025/Feb/11

- https://github.com/Chainmanner/GZDoom-Arbitrary-Code-Execution-via-ZScript-PoC

CVE-2025-25662 - Tenda O4 V3.0 V1.0.0.10(2936) is vulnerable to Buffer Overflow in the function SafeSetMacFilter of the file /goform/setMacFilterList.

Product: Tenda O4 V3.0 V1.0.0.10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25662

NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/O4V3/setMacFilterList.md

CVE-2025-25663 - Tenda AC8V4 V16.03.34.06 is vulnerable to a stack-based buffer overflow in the wpapsk_crypto argument of function SUB_0046AC38 in the file /goform/WifiExtraSet.

Product: Tenda AC8V4

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25663

NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/WifiExtraSet.md

CVE-2025-25664 - Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_49E098 function.

Product: Tenda AC8

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25664

NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/SetIpMacBind.md

CVE-2025-25667 - Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.

Product: Tenda AC8V4

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25667

NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/saveParentControlInfo.md

CVE-2025-25668 - Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_47D878 function.

Product: Tenda AC8V4

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25668

NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/setMacFilterCfg.md

CVE-2025-25674 - Tenda AC10 V1.0 V15.03.06.23 is vulnerable to Buffer Overflow in form_fast_setting_wifi_set via the parameter ssid.

Product: Tenda AC10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25674

NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC10V1/fast_setting_wifi_set.md

CVE-2025-25675 - Tenda AC10 V1.0 V15.03.06.23 is vulnerable to command injection through the formexeCommand function, allowing arbitrary command execution.

Product: Tenda AC10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25675

NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/AC10V1/formexeCommand.md

CVE-2025-25676 - Tenda i12 V1.0.0.10(3805) was discovered to contain a buffer overflow via the list parameter in the formwrlSSIDset function.

Product: Tenda i12

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25676

NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/i12V1/wifiSSIDget.md

CVE-2025-25678 - Tenda i12 V1.0.0.10(3805) was discovered to contain a buffer overflow via the funcpara1 parameter in the formSetCfm function.

Product: Tenda i12

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25678

NVD References: https://github.com/jangfan/my-vuln/blob/main/Tenda/i12V1/setcfm.md

CVE-2025-27105 - Vyper's AugAssign statements vulnerability in handling DynArray access has been addressed in version 0.4.1 with no known workarounds available.

Product: Vyper

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27105

NVD References: https://github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jp

CVE-2025-20051 - Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 have a vulnerability that allows a user to read any arbitrary file on the system by duplicating a specially crafted block in Boards.

Product: Mattermost

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20051

NVD References: https://mattermost.com/security-updates

CVE-2025-24490 - Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 are vulnerable to SQL injection during boards reordering, potentially exposing database data.

Product: Mattermost

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24490

NVD References: https://mattermost.com/security-updates

CVE-2025-25279 - Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 are vulnerable to improper validation of board blocks during board imports, enabling attackers to read any file on the system via specially crafted import archives in Boards.

Product: Mattermost

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25279

NVD References: https://mattermost.com/security-updates

CVE-2025-26201 - GreaterWMS <= 2.1.49 is vulnerable to credential disclosure via the /staff route, allowing unauthenticated remote attackers to bypass authentication and escalate privileges.

Product: GreaterWMS

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26201

NVD References:

- http://greaterwms.com

- https://github.com/Elymaro/CVE/blob/main/GreaterWMS/CVE-2025-26201.md

- https://github.com/GreaterWMS/GreaterWMS/issues/383

CVE-2024-54820 - XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 is vulnerable to SQL injection on the login page, enabling attackers to extract all usernames and passwords.

Product: XOne Web Monitor

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54820

NVD References:

- https://github.com/jcarabantes/CVE-2024-54820

- https://xone.es/

- https://github.com/jcarabantes/CVE-2024-54820

CVE-2025-27364 - MITRE Caldera is vulnerable to remote code execution via a crafted web request to the server API.

Product: MITRE Caldera

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27364

NVD References:

- https://github.com/mitre/caldera/commit/35bc06e42e19fe7efbc008999b9f993b1b7109c0

- https://github.com/mitre/caldera/pull/3129

- https://github.com/mitre/caldera/pull/3131/commits/61de40f92a595bed462372a5e676c2e5a32d1050

- https://github.com/mitre/caldera/releases

- https://github.com/mitre/caldera/security

- https://medium.com/@mitrecaldera/mitre-caldera-security-advisory-remote-code-execution-cve-2025-27364-5f679e2e2a0e

- https://medium.com/@mitrecaldera/mitre-caldera-security-advisory-remote-code-execution-cve-2025-27364-5f679e2e2a0e

CVE-2025-1492 - Wireshark versions 4.4.0 to 4.4.3 and 4.2.0 to 4.2.10 are vulnerable to denial of service attacks through packet injection or crafted capture files due to crashes in the Bundle Protocol and CBOR dissectors.

Product: Wireshark

CVSS Score: 7.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1492

ISC Diary: https://isc.sans.edu/diary/31712

NVD References:

- https://gitlab.com/wireshark/wireshark/-/issues/20373

- https://www.wireshark.org/security/wnpa-sec-2025-01.html

CVE-2024-13725 - The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter, allowing unauthenticated attackers to include PHP files on the server and potentially execute code.

Product: Keap Official Opt In Forms

Active Installations: 2,000+. This plugin has been closed as of February 20, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13725

NVD References:

- https://plugins.trac.wordpress.org/browser/infusionsoft-official-opt-in-forms/trunk/infusionsoft.php#L2540

- https://wordpress.org/plugins/infusionsoft-official-opt-in-forms/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/692a5838-4a32-4444-b1a0-018fa25594a9?source=cve

CVE-2024-12860 - The CarSpot – Dealership Wordpress Classified Theme for WordPress allows unauthenticated attackers to escalate privileges through account takeover by changing arbitrary user passwords up to version 2.4.3.

Product: Carspot Project

Active Installations: Update to version 2.4.3 or later

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12860

NVD References:

- https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539

- https://www.wordfence.com/threat-intel/vulnerabilities/id/d1043dce-628f-485b-bc1c-b78938c2a6f5?source=cve

CVE-2024-13789 - The ravage plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input, potentially allowing unauthenticated attackers to inject a PHP Object.

Product: ravpage plugin

Active Installations: This plugin has been closed as of February 19, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13789

NVD References:

- https://plugins.trac.wordpress.org/browser/ravpage/trunk/ravpage.php#L24

- https://www.wordfence.com/threat-intel/vulnerabilities/id/5e0bcf70-2ffc-45c8-b63e-a8376b6cd22b?source=cve

CVE-2025-26763 - MetaSlider Responsive Slider by MetaSlider is vulnerable to object injection through untrusted data deserialization (versions n/a through 3.94.0).

Product: MetaSlider Responsive Slider

Active Installations: 600,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26763

NVD References: https://patchstack.com/database/wordpress/plugin/ml-slider/vulnerability/wordpress-slider-gallery-and-carousel-by-metaslider-image-slider-video-slider-plugin-3-94-0-php-object-injection-vulnerability?_s_id=cve

CVE-2025-26776 - Chaty Pro allows unrestricted upload of dangerous file types, allowing for potential upload of a web shell onto a web server, affecting versions n/a through 3.3.3.

Product: Chaty Pro

Active Installations: 300,000+

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26776

NVD References: https://patchstack.com/database/wordpress/plugin/chaty-pro/vulnerability/wordpress-chaty-pro-plugin-3-3-3-arbitrary-file-upload-vulnerability?_s_id=cve

The following vulnerability needs a manual review:

CVE-2025-21589 - An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device.

Product: Juniper Session Smart Router, Session Smart Conductor, WAN Assurance Managed Router

CVSS Scores: CVSS: v3.1: 9.8; CVSS: v4.0: 9.3

** KEV since 20xx-xx-xx **

NVD: N/A

ISC Podcast: https://isc.sans.edu/podcastdetail/9330

References: https://supportportal.juniper.net/s/article/2025-02-Out-of-Cycle-Security-Bulletin-Session-Smart-Router-Session-Smart-Conductor-WAN-Assurance-Router-API-Authentication-Bypass-Vulnerability-CVE-2025-21589?language=en_US