Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-12968 — Infility: The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to
The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to uplo CVSSv3.1 8.8 (HIGH)
Azure Seamless SSO: When Cookie Theft Doesn’t Cut It
SpecterOps demonstrates a complete attack chain from on-premises Active Directory to Azure Global Administrator compromise, leveraging Azure Seamless SSO as an authentication pivot when cookie theft fails. The attack exploits BloodHound graph analysis to identify a path through a synced AD user, resource group ownership, automation runbooks, and service principal privilege escalation to achieve tenant-wide compromise.
CVE-2025-14523 — HTTP: A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request
A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacke CVSSv3.1 8.2 (HIGH) · EPSS 39th percentile
Introducing mrva, a terminal-first approach to CodeQL multi-repo variant analysis
Trail of Bits released mrva, a terminal-first CLI tool for running CodeQL multi-repository variant analysis locally across thousands of projects. The tool downloads pre-built CodeQL databases from GitHub's API, runs custom queries, and outputs results to stdout, offering an alternative to GitHub's VS Code-dependent MRVA implementation with full local control and privacy.
SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics
Trend Micro disclosed SHADOW-VOID-042, a targeted spear-phishing campaign in October–November 2025 targeting defense, energy, chemical, cybersecurity, and ICT sectors using Trend-themed lures and HR complaint social engineering. The campaign employed multi-stage shellcode exploits (including a 2018 Chrome CVE), custom API hashing, machine-specific encryption, and C&C communication; attribution to Void Rabisu remains unconfirmed pending final payload recovery. Trend Vision One blocked the campaign early in the kill chain, preventing payload delivery.
SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL
Researchers disclosed SOAPwn, a novel attack primitive in .NET Framework's HTTP client proxy classes (SoapHttpClientProtocol, DiscoveryClientProtocol, HttpSimpleClientProtocol) that allows attackers to write arbitrary files or relay NTLM credentials by steering proxies toward file:// URLs. When combined with WSDL import functionality, attackers can achieve pre-authenticated RCE in applications that dynamically generate SOAP proxies from attacker-controlled WSDL definitions. Microsoft declined to patch the underlying framework flaw, treating it as a design feature rather than a vulnerability.
SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)
SpecterOps released a comprehensive two-part research series on attacking System Center Operations Manager (SCOM), focusing on RunAs credential extraction from both compromised endpoints and off-host via malicious agent enrollment. The research demonstrates DPAPI-based decryption of credentials stored in registry, policy file decryption using agent certificates, and a novel attack chain enabling arbitrary agent enrollment when automatic approval is enabled, coupled with a new tool (SharpSCOM) to automate credential recovery.
SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)
SpecterOps published a comprehensive two-part research series on attacking System Center Operations Manager (SCOM), detailing enumeration techniques via Active Directory integration, SPN discovery, and client reconnaissance, followed by exploitation paths including NTLM relay attacks against the web management console's PowerShell widget for RCE and privilege escalation. The research demonstrates how insecure default configurations enable attackers to harvest RunAs credentials, escalate privileges on management servers, and compromise entire management groups and monitored infrastructure.
CVE-2025-65807 — Chmln Sd: An issue in sd command v1.0.0 and before allows attackers to escalate privileges to
An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command. CVSSv3.1 8.4 (HIGH) · EPSS 8th percentile
CVE-2025-61813 — Adobe Coldfusion: versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed. CVSSv3.1 8.2 (HIGH) · EPSS 31th percentile
CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation
CVE-2025-55182 is a CVSS 10.0 pre-authentication RCE in React Server Components (RSC) affecting React.js, Next.js, and related frameworks. The vulnerability exploits improper deserialization in the React Flight protocol through a four-stage chain leveraging JavaScript prototype pollution, duck-typing, and the Blob handler to achieve arbitrary code execution with full Node.js privileges. Trend Micro documents active in-the-wild exploitation across 145+ PoC variants, with observed campaigns (emerald, nuts) deploying Mirai botnets, Cobalt Strike beacons, Nezha, FRP, Sliver, cryptominers, and custom backdoors on both Linux and Windows infrastructure.
Operationalizing BloodHound Enterprise: Security automation with Tines
SpecterOps published a technical guide demonstrating how to operationalize BloodHound Enterprise by integrating it with Tines for automated incident response workflows. The post covers manual blast-radius assessment techniques (checking Tier Zero status, local admin privileges, and attack paths) and provides a ready-to-use Tines story that automates these investigations using Cypher queries and AI-generated risk summaries.
CVE-2025-65882 — Openmptcprouter Openmptcprouter: An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipa
An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary commands. CVSSv3.1 9.8 (CRITICAL) · EPSS 44th percentile
The December 2025 Security Update Review
Microsoft released 56 CVEs (70 with Chromium) and Adobe released 139 CVEs in December 2025 patch Tuesday. Three Microsoft CVEs are rated Critical, including two Office RCEs via Preview Pane (CVE-2025-62554/62557) and one Outlook RCE (CVE-2025-62562); CVE-2025-62221 (Windows Cloud Files UAF EoP) is under active exploitation. Adobe's 139 CVEs are dominated by XSS bugs in Experience Manager, with arbitrary code execution fixes in ColdFusion (deployment priority 1) and Reader.
CVE-2025-65594 — Os4ed Opensis: 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows
OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users. CVSSv3.1 8.1 (HIGH) · EPSS 17th percentile
CVE-2025-62557 — Microsoft 365_apps: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 28th percentile
CVE-2025-62554 — Microsoft 365_apps: Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 50th percentile
CVE-2025-59719 — Fortinet Fortiweb: An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. CVSSv3.1 9.8 (CRITICAL) · EPSS 50th percentile
CVE-2025-59718 — Fortinet Fortiproxy: A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS
A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authe CVSSv3.1 9.8 (CRITICAL) · EPSS 93th percentile
CVE-2025-56704 — Lepton-cms Leptoncms: version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the
LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code. CVSSv3.1 8.8 (HIGH) · EPSS 47th percentile
Git SCOMmit – Putting the Ops in OpsMgr
SpecterOps releases a modular Ludus automation framework for deploying System Center Operations Manager (SCOM) lab environments across single-server, small-distributed, and medium-distributed topologies. The tool enables red teamers to practice attack techniques against SCOM infrastructure ahead of the Black Hat Europe 2025 talk 'SCOMmand and Conquer' which will detail default configuration weaknesses and domain compromise paths.
CVE-2025-67518 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection.This issue affects Accordion Slider PRO: from n/a through <= 1.2. CVSSv3.1 8.5 (HIGH)
CVE-2025-67517 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2. CVSSv3.1 8.5 (HIGH)
CVE-2025-67516 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2. CVSSv3.1 8.5 (HIGH)
CVE-2025-67515 — Qodeinteractive Wilmer: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5. CVSSv3.1 8.8 (HIGH)