@RISK®: The Consensus Security Vulnerability Alert
March 27, 2025 - Vol. 25, Num. 12
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked
Featuring the latest input from the SANS® Internet Storm Center®
Archived issues may be found at http://www.sans.org/newsletters/at-risk
| |
|
CONTENTS:
-
INTERNET STORM CENTER SPOTLIGHT
-
OTHER INTERNET STORM CENTER ENTRIES
-
RECENT CVEs
| |
|
Sponsored By Sevco Security
Traditional vulnerability management solutions fail to provide proper attack surface visibility. Security teams need a new approach to manage ever-changing environments. Learn how Exposure Assessment Platforms (EAPs) can identify, prioritize, and remediate risk more effectively: https://www.sans.org/info/231955
|
|
|
Sponsored Links:
Survey | 2025 SANS SOC Survey: Facing Top Challenges in Security Operations
The SANS 2025 SOC Survey uncovers the biggest challenges, trends, and innovations shaping modern SOCs. Your insights help drive industry benchmarks and best practices. Take the survey & shape the future of SOCs. Complete the survey by March 24 for a chance to win a $100 or a $250 Amazon gift card. https://www.sans.org/info/231905
Survey | 2025 SANS AI Survey: AI and Its Growing Role in Cybersecurity
Help us uncover key trends, challenges, and the evolving role of AI in cybersecurity. Your expertise strengthens industry-wide security strategies. Share your insights today! Complete the survey today to be entered into a drawing for one of four $100 gift cards. https://www.sans.org/info/231910
Webcast | SANS 2025 CTI Survey Webcast & Forum: Navigating Uncertainty in Today’s Threat Landscape | May 21, 10:30 am ET
As the cyber threat landscape continues to evolve, the past year has presented unique challenges and opportunities for cyber threat intelligence professionals. Save your seat today so you can explore with Rebekah Brown and Andreas Sfakianakis this year’s survey results. https://www.sans.org/info/231915
|
|
INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
X-Wiki Search Vulnerability exploit attempts (CVE-2024-3721)
Published: 2025-03-25
Last Updated: 2025-03-25 15:07:14 UTC
by Johannes Ullrich (Version: 1)
Creating a secure Wiki is hard. The purpose of a wiki is to allow "random" users to edit web pages. A good Wiki provides users with great flexibility, but with great flexibility comes an even "greater" attack surface. File uploads and markup (or markdown) are all well-known security issues affecting various Wikis in the past.
Today's vulnerability is a bit different, and less a typical "Wiki" vulnerability. CVE-2024-3721 was patched April 13th last year. It addresses an interesting OS command injection vulnerability that is exploited via the XWiki search feature. A user usually does not need to log in to use the search. In some ways, this is one of the "less dangerous" features for a Wiki.
The exploit we are seeing now is pretty much identical to the PoC published back in April ...
Read the full entry: https://isc.sans.edu/diary/XWiki+Search+Vulnerability+exploit+attempts+CVE20243721/31800/
Some new Data Feeds, and a little "incident"
Published: 2025-03-20.
Last Updated: 2025-03-20 17:58:57 UTC
by Johannes Ullrich (Version: 1)
Our API (https://isc.sans.edu/api) continues to be quite popular. One query we see a lot is lookups for individual IP addresses. Running many queries as you go through a log may cause you to get locked out by our rate limit. To help with that, we now offer additional "summary feeds" that include all data recently received. You may download these feeds and import them in your database of choice (or grep the text file for records). This will make bulk lookups a lot easier and faster.
For more details and continuing updates, see, https://isc.sans.edu/feeds_doc.html
I will gladly add more feeds as needed. Please let me know via our contact page if you run into errors.
We do often get requests for commercial use of our data. Our data is published under a "Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International" license. You may use the data if you attribute it to us and do not resell it. We are okay with you using the data in a SOC at a commercial enterprise to help you defend your organization.
If you find it helpful: Let us know. Tell us what works and does not work. The simplest way to help us out is to run one of our honeypots and tell us what works or doesn't work with it. Please do not ask us to remove data because you consider it a false positive. False positives are part of the game, and while we will gladly add comments to some of the data, we do not remove data as it may distort it for other research tasks.
But enough about data feeds. Today, we also had a recurrence of an attack I hadn't seen in a while. This "incident" started with some of our handlers receiving a request to update a link in an older podcast ...
Read the full entry: https://isc.sans.edu/diary/Some+new+Data+Feeds+and+a+little+incident/31786/
[Guest Diary] Leveraging CNNs and Entropy-Based Feature Selection to Identify Potential Malware Artifacts of Interest
Published: 2025-03-26
Last Updated: 2025-03-26 00:07:40 UTC
by Wee Ki Joon, SANS.edu BACS Student (Version: 1)
[This is a Guest Diary by Wee Ki Joon, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.]
Executive Summary
This diary explores a novel methodology for classifying malware by integrating entropy-driven feature selection with a specialized Convolutional Neural Network (CNN). Motivated by the increasing obfuscation tactics used by modern malware authors, we will focus on capturing high-entropy segments within files, regions most likely to harbor malicious functionality, and feeding these distinct byte patterns into our model.
The result is a multi-class classification model capable of delivering accurate, easily accessible malware categorizations, in turn creating new opportunities for deeper threat correlation and more efficient triage.
We will also discuss the following sections:
Entropy-Based Sliding Window Extraction: Rather than analyzing only the initial segment of each file, we apply a sliding window mechanism that computes entropy in overlapping chunks. This locates suspicious, high-entropy hotspots without being limited by fixed-size segments.
CNN Architecture and Training: A multi-layer convolutional neural network design ingesting byte-image representation was employed. Techniques such as class weighting, batch normalization, and early stopping ensure balanced, high-fidelity learning.
Evaluation and Results: Tested against a large corpus of malicious and benign binaries, the model achieved approximately 91% overall accuracy, with notable performance in distinguishing multiple malware families. Confusion matrices also highlight pitfalls among closely related classes (e.g. droppers and downloaders) ...
Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Leveraging+CNNs+and+EntropyBased+Feature+Selection+to+Identify+Potential+Malware+Artifacts+of+Interest/31790/
|
|
|
RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2025-26633 - Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.
Product: Microsoft Management Console
CVSS Score: 0
** KEV since 2025-03-11 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26633
ISC Podcast: https://isc.sans.edu/podcastdetail/9380
CVE-2025-29927 - Next.js allows for authorization bypasses before versions 14.2.25 and 15.2.3, when the check occurs in middleware, requiring users to block requests with the x-middleware-subrequest header if unable to update.
Product: Next.js
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29927
ISC Diary: https://isc.sans.edu/diary/31792
ISC Podcast: https://isc.sans.edu/podcastdetail/9376
NVD References:
- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
- http://www.openwall.com/lists/oss-security/2025/03/23/3
- http://www.openwall.com/lists/oss-security/2025/03/23/4
CVE-2024-3721 - TBK DVR-4104 and DVR-4216 up to 20240412 are vulnerable to a critical os command injection issue via manipulation of the argument mdb/mdc in the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___.
Product: TBK DVR-4104, DVR-4216
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3721
ISC Diary: https://isc.sans.edu/diary/31800
ISC Podcast: https://isc.sans.edu/podcastdetail/9380
CVE-2025-30154 - reviewdog/action-setup GitHub action installs reviewdog and was compromised on March 11, 2025 between 18:42 and 20:31 UTC, adding malicious code that leaks exposed secrets to Github Actions Workflow Logs.
Product: Reviewdog Action-Ast-Grep
CVSS Score: 8.6
** KEV since 2025-03-24 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30154
NVD References:
- https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887
- https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec
- https://github.com/reviewdog/reviewdog/issues/2079
- https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc
- https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
CVE-2024-48248 - NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files. Product: NAKIVO Backup & Replication CVSS Score: 8.6 ** KEV since 2025-03-19 ** NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48248 NVD References:
- https://github.com/watchtowrlabs/nakivo-arbitrary-file-read-poc-CVE-2024-48248/?ref=labs.watchtowr.com
- https://helpcenter.nakivo.com/Release-Notes/Content/Release-Notes.htm
- https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/
CVE-2024-20439 - Cisco Smart Licensing Utility has a vulnerability that lets an unauthenticated, remote attacker access an affected system using a static administrative credential.
Product: Cisco Smart Licensing Utility
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20439
ISC Podcast: https://isc.sans.edu/podcastdetail/9372
CVE-2024-20440 - Cisco Smart Licensing Utility has a vulnerability that could expose sensitive information to remote attackers via an excessively verbose debug log file.
Product: Cisco Smart Licensing Utility
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20440
ISC Podcast: https://isc.sans.edu/podcastdetail/9372
CVE-2024-23943 - Cisco Cloud API allows unauthenticated remote attackers to gain access due to a critical function lacking authentication, without affecting availability.
Product: Cisco Cloud API
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23943
NVD References: https://cert.vde.com/en/advisories/VDE-2024-010
CVE-2023-47539 - FortiMail version 7.4.0 with RADIUS authentication and remote_wildcard enabled allows a remote unauthenticated attacker to bypass admin login.
Product: Fortinet FortiMail
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47539
NVD References: https://fortiguard.com/psirt/FG-IR-23-439
CVE-2024-8997 - Vestel EVC04 Configuration Interface is vulnerable to SQL Injection through 18.03.2025.
Product: Vestel EVC04 Configuration Interface
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8997
NVD References: https://www.usom.gov.tr/bildirim/tr-25-0070
CVE-2025-30113, CVE-2025-30114, CVE-2025-30115 - Forvia Hella HELLA Driving Recorder DR 820 multiple unauthorized access vulnerabilities.
Product: Forvia Hella HELLA Driving Recorder DR 820
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30113
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30114
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30115
NVD References:
- https://github.com/geo-chen/Hella
- https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26
CVE-2025-30122, CVE-2025-30123 - ROADCAM X3 devices are vulnerable to unauthorized access.
Product: ROADCAM X3 devices
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30122
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30123
NVD References: https://github.com/geo-chen/RoadCam
NVD References: https://roadcam.my/pages/install-x3
CVE-2025-30132 - IROAD Dashcam V devices are at risk due to the use of an unregistered public domain name, allowing potential interception of sensitive device traffic by attackers.
Product: IROAD Dashcam V
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30132
NVD References:
- https://github.com/geo-chen/IROAD-V
- https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-6-public-domain-used-for-internal-domain-name
CVE-2024-57169 - SOPlanning 1.53.00 is vulnerable to a file upload bypass issue in /process/upload.php, enabling remote attackers to bypass upload restrictions and potentially execute code.
Product: SOPlanning
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57169
NVD References: https://themcsam.github.io/posts/so-planing-vulnerabilities/#arbitrary-file-upload-leading-to-rce
CVE-2024-56346 - IBM AIX 7.2 and 7.3 nimesis NIM master service allows remote attackers to execute arbitrary commands.
Product: IBM AIX
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56346
NVD References: https://www.ibm.com/support/pages/node/7186621
CVE-2024-56347 - IBM AIX 7.2 and 7.3 nimsh service is vulnerable to remote code execution due to weak SSL/TLS protection.
Product: IBM AIX
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56347
NVD References: https://www.ibm.com/support/pages/node/7186621
CVE-2025-25595 - Safe App version a3.0.9 is vulnerable to brute force attacks due to a lack of rate limiting in the login page.
Product: Safe Software Safe App
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25595
NVD References:
- https://pastebin.com/t8FthPaF
- https://play.google.com/store/apps/details?id=com.iitb.cse.arkenstone.safe_v2
CVE-2025-30137 - The G-Net GNET APK 2.6.2 contains hardcoded credentials in ports 9091 and 9092, allowing unauthorized access to the dashcam's API endpoints.
Product: G-Net GNET APK
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30137
NVD References:
- https://github.com/geo-chen/GNET
- https://www.gnetsystem.com/eng/product/list?viewMode=view&idx=246&ca_id=0201
CVE-2025-30139 - G-Net Dashcam BB GONX devices have a vulnerability where default SSID credentials cannot be changed, allowing nearby attackers to connect to the network and sniff on connected devices.
Product: G-Net Dashcam BB GONX
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30139
NVD References:
- https://github.com/geo-chen/GNET
- https://www.gnetsystem.com/eng/product/list?viewMode=view&idx=246&ca_id=0201
CVE-2024-10441 - Synology BeeStation Manager (BSM), Synology DiskStation Manager (DSM), and Synology Unified Controller (DSMUC) are vulnerable to improper encoding or escaping of output, allowing remote attackers to execute arbitrary code.
Product: Synology BeeStation Manager (BSM)
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10441
NVD References:
- https://www.synology.com/en-global/security/advisory/Synology_SA_24_20
- https://www.synology.com/en-global/security/advisory/Synology_SA_24_23
CVE-2024-10442 - Synology Replication Service and Synology Unified Controller (DSMUC) before specified versions allow remote attackers to execute arbitrary code due to an off-by-one error vulnerability.
Product: Synology Replication Service
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10442
NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_24_22
CVE-2024-11131 - Synology Camera Firmware versions before 1.2.0-0525 may allow remote attackers to execute arbitrary code via unspecified vectors, affecting models BC500, CC400W, and TC500.
Product: Synology Camera Firmware
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11131
NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_24_24
CVE-2024-55551 - Exasol jdbc driver 24.2.0 is vulnerable to malicious parameter injection in the JDBC URL, leading to JNDI injection and potential remote code execution.
Product: Exasol jdbc driver
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55551
NVD References:
- https://docs.exasol.com/db/7.1/release_notes_drivers_jdbc/24.2.1.htm
- https://docs.exasol.com/db/latest/connect_exasol/drivers/jdbc.htm
- https://gist.github.com/azraelxuemo/9565ec9219e0c3e9afd5474904c39d0f
- https://www.blackhat.com/eu-24/briefings/schedule/index.html#a-novel-attack-surface-java-authentication-and-authorization-service-jaas-42179
CVE-2025-29137 - Tenda AC7 V1.0 V15.03.06.44 is vulnerable to a buffer overflow in the timeZone parameter, allowing for remote code execution.
Product: Tenda AC7
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29137
NVD References: https://github.com/Raining-101/IOT_cve/blob/main/tenda-ac7form_fast_setting_wifi_set%20timeZone.md
CVE-2025-29401 - Emlog Pro v2.5.7 is vulnerable to arbitrary file upload in /views/plugin.php, enabling attackers to execute malicious code by uploading a specially crafted PHP file.
Product: Emlog Pro
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29401
NVD References: https://github.com/bGl1o/emlogpro/blob/main/emlog%20pro2.5.7-getshell.md
CVE-2025-29783 - vLLM is vulnerable to remote code execution when configured to use Mooncake and using ZMQ/TCP on all network interfaces.
Product: Hugging Face vLLM
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29783
NVD References:
- https://github.com/vllm-project/vllm/commit/288ca110f68d23909728627d3100e5a8db820aa2
- https://github.com/vllm-project/vllm/pull/14228
- https://github.com/vllm-project/vllm/security/advisories/GHSA-x3m8-f7g5-qhm7
CVE-2024-57061 - Termius is vulnerable to arbitrary code execution by a physically proximate attacker due to insecure Electron Fuses configuration.
Product: Termius
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57061
NVD References:
- https://sha999.medium.com/cve-2024-57061-termius-insufficient-electron-fuses-configuration-limited-disclosure-ab00d0970159
- https://www.electron.build/tutorials/adding-electron-fuses.html
CVE-2024-12016 - CM Informatics CM News has a SQL Injection vulnerability in versions up to 6.0.
Product: CM Informatics CM News
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12016
NVD References: https://www.usom.gov.tr/bildirim/tr-25-0072
CVE-2024-47552 - Apache Seata (incubating) is vulnerable to deserialization of untrusted data from version 2.0.0 to 2.2.0, requiring users to update to version 2.2.0 for a fix.
Product: Apache Seata
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47552
NVD References:
- https://lists.apache.org/thread/652o82vzk9qrtgksk55cfgpbvdgtkch0
- http://www.openwall.com/lists/oss-security/2025/03/19/5
CVE-2025-2311 - SecHard before 3.3.0.20220411 allows Authentication Bypass and Sensitive Information leakage due to incorrect use of privileged APIs and cleartext transmission of credentials.
Product: Nebula Informatics SecHard
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2311
NVD References: https://www.usom.gov.tr/bildirim/tr-25-0074
CVE-2024-48590 - Inflectra SpiraTeam 7.2.00 is susceptible to SSRF through NewsReaderService, leading to privilege escalation and data exposure.
Product: Inflectra SpiraTeam
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48590
NVD References: https://github.com/GCatt-AS/CVE-2024-48590/blob/main/README.md
CVE-2025-29411 - Mart Developers iBanking v2.0.0 is vulnerable to arbitrary file upload that enables attackers to execute malicious PHP code.
Product: Mart Developers iBanking
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29411
NVD References:
- https://github.com/MartMbithi/iBanking/issues/12
- https://www.simonjuguna.com/cve-2025-29411-authenticated-remote-code-execution-rce-via-arbitrary-file-upload/
CVE-2025-29922 - kcp prior to version 0.26.3 allows attackers to create or delete objects in any workspace without the required permissions.
Product: kcp Kubernetes-like control plane
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29922
NVD References:
- https://github.com/kcp-dev/kcp/commit/614ecbf35f11db00f65391ab6fbb1547ca8b5d38
- https://github.com/kcp-dev/kcp/pull/3338
- https://github.com/kcp-dev/kcp/security/advisories/GHSA-w2rr-38wv-8rrp
CVE-2025-29980 - eTRAKiT.net release 3.2.1.77 is vulnerable to a SQL injection issue, allowing remote unauthenticated attackers to execute arbitrary commands as the current MS SQL server account.
Product: CentralSquare eTRAKiT Net
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29980
NVD References: https://github.com/cisagov/CSAF/pull/182/files#diff-53861466371a59578b21f5e4b4b6be7b2a6267c5d0fe81eda2a849bf6915ed8d
CVE-2025-2538 - ArcGIS Enterprise is vulnerable to a clave Recovery Exploitation flaw in Portal, enabling unauthorized clave resets for the built-in admin account.
Product: Esri ArcGIS Enterprise
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2538
NVD References: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-1-patch/
CVE-2025-29814 - Improper authorization in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
Product: Microsoft Partner Center
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29814
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29814
CVE-2024-53351 - Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.
Product: pipecd
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53351
NVD References:
- https://gist.github.com/HouqiyuA/948a808b8bd48b17b37a4d5e0b6fb005
- https://github.com/pipe-cd/pipecd
- https://pipecd.dev/
CVE-2025-30472 - Corosync through 3.1.9 is vulnerable to a stack-based buffer overflow in exec/totemsrp.c when encryption is disabled or attacker knows the key, potentially through a large UDP packet.
Product: Corosync
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30472
NVD References:
- https://corosync.org
- https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677
- https://github.com/corosync/corosync/issues/778
CVE-2025-2618 through CVE-2025-2621 - D-Link DAP-1620 1.03 is vulnerable to a critical buffer overflow flaws.
Product: D-Link DAP-1620
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2618
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2619
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2620
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2621
NVD References:
- https://www.dlink.com/
- https://vuldb.com/?submit.518963
- https://witty-maiasaura-083.notion.site/D-link-DAP-1620-set_ws_action-Vulnerability-1afb2f2a6361804e86dcde1e78ea2a8e
- https://vuldb.com/?submit.518968
- https://witty-maiasaura-083.notion.site/D-link-DAP-1620-check_dws_cookie-Vulnerability-1b4b2f2a6361805ca74fdf4949385ade
- https://vuldb.com/?submit.518969
- https://witty-maiasaura-083.notion.site/D-link-DAP-1620-mod_graph_auth_uri_handler-Vulnerability-1afb2f2a6361809ea7f2dc4df3b85f1f
- https://vuldb.com/?submit.518980
- https://witty-maiasaura-083.notion.site/D-link-DAP-1620-check_dws_uid-Vulnerability-1b4b2f2a63618025b049f6e62a1835c0
CVE-2023-25610 - Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.8, version 2.0.12 and below and FortiOS-6K7K version 7.0.5, version 6.4.0 through 6.4.10 and version 6.2.0 through 6.2.10 and below is vulnerable to buffer underwrite allowing remote malicious attackers to execute arbitrary code or commands.
Product: Fortinet FortiOS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25610
NVD References: https://fortiguard.com/psirt/FG-IR-23-001
CVE-2025-2746, CVE-2025-2747 - Kentico Xperience authentication bypass flaws.
Product: Kentico Xperience
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2746
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2747
NVD References:
- https://devnet.kentico.com/download/hotfixes
- https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011
- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
CVE-2025-26512 - SnapCenter versions prior to 6.0.1P1 and 6.1P1 allow an authenticated user to become an admin on a remote system with a plug-in installed.
Product: NetApp SnapCenter
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26512
NVD References:
- https://security.netapp.com/advisory/NTAP-20250324-0001/
CVE-2025-1974 - Kubernetes has a security issue where an unauthenticated attacker could execute arbitrary code through the ingress-nginx controller, potentially leading to disclosure of sensitive data.
Product: Kubernetes ingress-nginx
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1974
NVD References: https://https://github.com/kubernetes/kubernetes/issues/131009
CVE-2024-42533 - Convivance StandVoice is vulnerable to SQL injection attacks in the authentication module, enabling remote attackers to execute arbitrary code through the GEST_LOGIN parameter.
Product: Convivance StandVoice
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42533
NVD References: https://gist.github.com/7h30th3r0n3/eae27e0eed39741365c55dfd46b57dc8
CVE-2025-30216 - CryptoLib is vulnerable to a heap overflow in versions 1.3.3 and prior, allowing for potential arbitrary code execution or system instability.
Product: NASA CryptoLib
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30216
NVD References:
- https://github.com/nasa/CryptoLib/commit/810fd66d592c883125272fef123c3240db2f170f
- https://github.com/nasa/CryptoLib/security/advisories/GHSA-v3jc-5j74-hcjv
- https://github.com/user-attachments/assets/d49cea04-ce84-4d60-bb3a-987e843f09c4
CVE-2024-47516 - Pagure is vulnerable to remote code execution due to an argument injection in Git during repository history retrieval.
Product: Pagure Git
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47516
NVD References:
- https://access.redhat.com/security/cve/CVE-2024-47516
- https://bugzilla.redhat.com/show_bug.cgi?id=2315805
CVE-2025-23120 - A vulnerability allowing remote code execution (RCE) for domain users.
Product: Microsoft Windows
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23120
ISC Podcast: https://isc.sans.edu/podcastdetail/9374
NVD References:
- https://www.veeam.com/kb4724
- https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/
CVE-2025-2505 - The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion through the 'lang' parameter, allowing unauthenticated attackers to execute arbitrary PHP files on the server, potentially bypassing access controls and obtaining sensitive data.
Product: WordPress Age Gate plugin
Active Installations: 40,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2505
NVD References:
- https://plugins.trac.wordpress.org/browser/age-gate/trunk/vendor/agegate/common/src/Settings.php#L27
- https://plugins.trac.wordpress.org/changeset/3258075/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d6ac2996-098f-474c-b44e-78d5af7b503a?source=cve
CVE-2025-28904 - Shamalli Web Directory Free from n/a through 1.7.6 allows Blind SQL Injection via improper neutralization of special elements in an SQL command (SQL Injection) vulnerability.
Product: Shamalli Web Directory Free
Active Installations: 500+
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28904
NVD References: https://patchstack.com/database/wordpress/plugin/web-directory-free/vulnerability/wordpress-web-directory-free-plugin-1-7-6-sql-injection-vulnerability?_s_id=cve
CVE-2024-13410 - The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection, allowing unauthenticated attackers to inject a PHP Object via deserialization of untrusted input in the 'ajax_handler' function, with no impact unless a POP chain in another plugin or theme is present.
Product: WordPress CozyStay, WordPress, TinySalt
Active Installations: Unknown. Update CozyStay to version 1.7.1, or a newer patched version; Update TinySalt to version 3.10.0, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13410
NVD References:
- https://themeforest.net/item/cozystay-hotel-booking-wordpress-theme/47383367#item-description__changelog
- https://themeforest.net/item/tinysalt-personal-food-blog-wordpress-theme/26294668#item-description__changelog
- https://www.wordfence.com/threat-intel/vulnerabilities/id/61080df6-836f-4365-964a-fa2517e8be5a?source=cve
CVE-2024-12922 - The Altair theme for WordPress is vulnerable to unauthorized data modification, leading to privilege escalation and potential admin access for attackers.
Product: Altair theme
Active Installations: Unknown. Update to version 5.2.5, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12922
NVD References:
- https://themeforest.net/item/tour-travel-agency-altair-theme/9318575
- https://themeforest.net/item/tour-travel-agency-altair-theme/9318575#item-description__changelog
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e27971a3-f84c-4f13-81af-127e7560566a?source=cve
CVE-2024-13790 - The MinimogWP – The High Converting eCommerce WordPress Theme is vulnerable to Local File Inclusion up to version 3.7.0, allowing unauthenticated attackers to execute arbitrary files on the server and potentially bypass access controls or obtain sensitive data.
Product: MinimogWP The High Converting eCommerce WordPress Theme
Active Installations: Unknown. Update to version 3.8.0, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13790
NVD References:
- https://changelog.thememove.com/minimog-wp/
- https://themeforest.net/item/minimog-the-high-converting-ecommerce-wordpress-theme/36947163
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b3ae0e08-5cdc-47ff-b094-3920d56a50f7?source=cve
CVE-2024-13442 - The Service Finder Bookings plugin for WordPress allows for privilege escalation through account takeover due to improper validation of user identity, enabling unauthenticated attackers to login as any user or change claves.
Product: WordPress Service Finder Bookings plugin
Active Installations: Unknown. Update to version 5.1, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13442
NVD References:
- https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793
- https://www.wordfence.com/threat-intel/vulnerabilities/id/827b5482-cb42-4aaa-80b5-3d0143fcead8?source=cve
CVE-2025-2512 - The File Away plugin for WordPress up to version 3.9.9.0.1 allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution.
Product: WordPress File Away plugin
Active Installations: This plugin has been closed as of March 24, 2023 and is not available for download. Reason: Security Issue.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2512
NVD References:
- https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_management.php#L1094
- https://wordpress.org/plugins/file-away/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9a93313d-a5d7-4109-93c5-b2da26e7a486?source=cve
CVE-2025-30615 - WP e-Commerce Style Email from n/a through 0.6.2 is vulnerable to Cross-Site Request Forgery (CSRF) code injection.
Product: Jacob Schwartz WP e-Commerce Style Email
Active Installations: This plugin has been closed as of March 18, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30615
NVD References: https://patchstack.com/database/wordpress/plugin/wp-e-commerce-style-email/vulnerability/wordpress-wp-e-commerce-style-email-plugin-0-6-2-csrf-to-remote-code-execution-vulnerability?_s_id=cve
CVE-2025-30528 - Awesome Logos is vulnerable to CSRF attacks, allowing SQL Injection from version n/a through 1.2.
Product: wpshopee Awesome Logos
Active Installations: This plugin has been closed as of March 11, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30528
NVD References: https://patchstack.com/database/wordpress/plugin/awesome-logos/vulnerability/wordpress-awesome-logos-plugin-1-2-csrf-to-sql-injection-vulnerability?_s_id=cve
|
|
|
© 2025. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
SANS Institute Privacy Policy
11200 Rockville Pike, Suite 200, North Bethesda, MD, 20852
To change your email address visit update profile.
To change your email preferences or unsubscribe visit manage subscriptions.
This mailbox is not monitored. Please email support@sans.org or call 301-654-7267 for assistance.
|
|
|
|
|