2025-12-12
2025-12-12 04:15Z
HIGH

CVE-2025-12968 — Infility: The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-12968

The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to uplo CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDInfilityTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-12-11
2025-12-11 17:00Z
HIGH

Azure Seamless SSO: When Cookie Theft Doesn’t Cut It

SpecterOps·specterops.io

SpecterOps demonstrates a complete attack chain from on-premises Active Directory to Azure Global Administrator compromise, leveraging Azure Seamless SSO as an authentication pivot when cookie theft fails. The attack exploits BloodHound graph analysis to identify a path through a synced AD user, resource group ownership, automation runbooks, and service principal privilege escalation to achieve tenant-wide compromise.

SRFApplicationTACTA0004TACTA0001SRFIdentitySRFCloudTACTA0008VNDMicrosoftVNDSpecterops
82
Edit Score
2025-12-11
2025-12-11 13:15Z
HIGH

CVE-2025-14523 — HTTP: A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-14523

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacke CVSSv3.1 8.2 (HIGH) · EPSS 39th percentile

CWECWE 444VNDHttpTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-12-11
2025-12-11 12:00Z
INFO

Introducing mrva, a terminal-first approach to CodeQL multi-repo variant analysis

Trail of Bits·blog.trailofbits.com

Trail of Bits released mrva, a terminal-first CLI tool for running CodeQL multi-repository variant analysis locally across thousands of projects. The tool downloads pre-built CodeQL databases from GitHub's API, runs custom queries, and outputs results to stdout, offering an alternative to GitHub's VS Code-dependent MRVA implementation with full local control and privacy.

SRFApplicationTACTA0007TYPResearchTYPToolSTGDiscovery
68
Edit Score
2025-12-11
2025-12-11 00:00Z
HIGH

SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics

Trend Micro Research·trendmicro.comCVE-2018-6065

Trend Micro disclosed SHADOW-VOID-042, a targeted spear-phishing campaign in October–November 2025 targeting defense, energy, chemical, cybersecurity, and ICT sectors using Trend-themed lures and HR complaint social engineering. The campaign employed multi-stage shellcode exploits (including a 2018 Chrome CVE), custom API hashing, machine-specific encryption, and C&C communication; attribution to Void Rabisu remains unconfirmed pending final payload recovery. Trend Vision One blocked the campaign early in the kill chain, preventing payload delivery.

SRFOsTACTA0005TACTA0001TACTA0002SRFBrowserVNDTrend MicroTYPResearchTYPThreat Intel
72
Edit Score
2025-12-10
2025-12-10 17:00Z
CRIT

SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL

watchTowr Labs·labs.watchtowr.comCVE-2025-34392CVE-2025-13659in the wild

Researchers disclosed SOAPwn, a novel attack primitive in .NET Framework's HTTP client proxy classes (SoapHttpClientProtocol, DiscoveryClientProtocol, HttpSimpleClientProtocol) that allows attackers to write arbitrary files or relay NTLM credentials by steering proxies toward file:// URLs. When combined with WSDL import functionality, attackers can achieve pre-authenticated RCE in applications that dynamically generate SOAP proxies from attacker-controlled WSDL definitions. Microsoft declined to patch the underlying framework flaw, treating it as a design feature rather than a vulnerability.

SRFApplicationSRFOsTACTA0001TACTA0002VNDMicrosoftVNDIvantiVNDBarracudaVNDUmbraco
92
Edit Score
2025-12-10
2025-12-10 17:00Z
HIGH

SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)

SpecterOps·specterops.io

SpecterOps released a comprehensive two-part research series on attacking System Center Operations Manager (SCOM), focusing on RunAs credential extraction from both compromised endpoints and off-host via malicious agent enrollment. The research demonstrates DPAPI-based decryption of credentials stored in registry, policy file decryption using agent certificates, and a novel attack chain enabling arbitrary agent enrollment when automatic approval is enabled, coupled with a new tool (SharpSCOM) to automate credential recovery.

SRFApplicationSRFOsTACTA0006TACTA0007VNDMicrosoftTYPResearchTYPToolTYPWriteup
82
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-12-10
2025-12-10 17:00Z
HIGH

SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

SpecterOps·specterops.io

SpecterOps published a comprehensive two-part research series on attacking System Center Operations Manager (SCOM), detailing enumeration techniques via Active Directory integration, SPN discovery, and client reconnaissance, followed by exploitation paths including NTLM relay attacks against the web management console's PowerShell widget for RCE and privilege escalation. The research demonstrates how insecure default configurations enable attackers to harvest RunAs credentials, escalate privileges on management servers, and compromise entire management groups and monitored infrastructure.

SRFApplicationSRFOsTACTA0004TACTA0005TACTA0001TACTA0002SRFIdentityTACTA0043
82
Edit Score
2025-12-10
2025-12-10 16:16Z
HIGH

CVE-2025-65807 — Chmln Sd: An issue in sd command v1.0.0 and before allows attackers to escalate privileges to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-65807

An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command. CVSSv3.1 8.4 (HIGH) · EPSS 8th percentile

CWECWE 266VNDChmlnTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-12-10
2025-12-10 00:16Z
HIGH

CVE-2025-61813 — Adobe Coldfusion: versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-61813

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed. CVSSv3.1 8.2 (HIGH) · EPSS 31th percentile

CWECWE 611VNDAdobeVNDColdfusionTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-12-10
2025-12-10 00:00Z
CRIT

CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation

Trend Micro Research·trendmicro.comCVE-2025-55182in the wild

CVE-2025-55182 is a CVSS 10.0 pre-authentication RCE in React Server Components (RSC) affecting React.js, Next.js, and related frameworks. The vulnerability exploits improper deserialization in the React Flight protocol through a four-stage chain leveraging JavaScript prototype pollution, duck-typing, and the Blob handler to achieve arbitrary code execution with full Node.js privileges. Trend Micro documents active in-the-wild exploitation across 145+ PoC variants, with observed campaigns (emerald, nuts) deploying Mirai botnets, Cobalt Strike beacons, Nezha, FRP, Sliver, cryptominers, and custom backdoors on both Linux and Windows infrastructure.

SRFApplicationTACTA0004TACTA0001TACTA0002SRFWebTACTA0003TACTA0011VNDNextjs
95
Edit Score
2025-12-09
2025-12-09 22:57Z
INFO

Operationalizing BloodHound Enterprise: Security automation with Tines

SpecterOps·specterops.io

SpecterOps published a technical guide demonstrating how to operationalize BloodHound Enterprise by integrating it with Tines for automated incident response workflows. The post covers manual blast-radius assessment techniques (checking Tier Zero status, local admin privileges, and attack paths) and provides a ready-to-use Tines story that automates these investigations using Cypher queries and AI-generated risk summaries.

SRFApplicationTACTA0007SRFIdentityTACTA0010VNDBloodhoundVNDSpecteropsVNDTinesTYPTechnique
62
Edit Score
2025-12-09
2025-12-09 19:15Z
CRIT

CVE-2025-65882 — Openmptcprouter Openmptcprouter: An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipa

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-65882

An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary commands. CVSSv3.1 9.8 (CRITICAL) · EPSS 44th percentile

CWECWE 78VNDOpenmptcprouterTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-12-09
2025-12-09 18:29Z
CRIT

The December 2025 Security Update Review

Microsoft released 56 CVEs (70 with Chromium) and Adobe released 139 CVEs in December 2025 patch Tuesday. Three Microsoft CVEs are rated Critical, including two Office RCEs via Preview Pane (CVE-2025-62554/62557) and one Outlook RCE (CVE-2025-62562); CVE-2025-62221 (Windows Cloud Files UAF EoP) is under active exploitation. Adobe's 139 CVEs are dominated by XSS bugs in Experience Manager, with arbitrary code execution fixes in ColdFusion (deployment priority 1) and Reader.

SRFApplicationSRFOsTACTA0004TACTA0002VNDMicrosoftVNDAdobeTYPAdvisorySTGPrivesc
72
Edit Score
2025-12-09
2025-12-09 18:16Z
HIGH

CVE-2025-65594 — Os4ed Opensis: 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-65594

OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users. CVSSv3.1 8.1 (HIGH) · EPSS 17th percentile

CWECWE 284VNDOs4edVNDOpensisTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-12-09
2025-12-09 18:16Z
HIGH

CVE-2025-62557 — Microsoft 365_apps: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62557

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 28th percentile

CWECWE 416VNDMicrosoftTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-12-09
2025-12-09 18:16Z
HIGH

CVE-2025-62554 — Microsoft 365_apps: Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62554

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 50th percentile

CWECWE 843VNDMicrosoftVNDAccessTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-12-09
2025-12-09 18:15Z
CRIT

CVE-2025-59719 — Fortinet Fortiweb: An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-59719

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. CVSSv3.1 9.8 (CRITICAL) · EPSS 50th percentile

CWECWE 347VNDFortinetTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-12-09
2025-12-09 18:15Z
CRIT

CVE-2025-59718 — Fortinet Fortiproxy: A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-59718in the wild

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authe CVSSv3.1 9.8 (CRITICAL) · EPSS 93th percentile

CWECWE 347VNDFortinetTYPVulnerabilitySTAitw exploited
9.8
CVSS v3.1
100
Edit Score
2025-12-09
2025-12-09 17:15Z
HIGH

CVE-2025-56704 — Lepton-cms Leptoncms: version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-56704

LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code. CVSSv3.1 8.8 (HIGH) · EPSS 47th percentile

CWECWE 434VNDLepton CmsVNDLeptoncmsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-12-09
2025-12-09 17:00Z
HIGH

Git SCOMmit – Putting the Ops in OpsMgr

SpecterOps·specterops.io

SpecterOps releases a modular Ludus automation framework for deploying System Center Operations Manager (SCOM) lab environments across single-server, small-distributed, and medium-distributed topologies. The tool enables red teamers to practice attack techniques against SCOM infrastructure ahead of the Black Hat Europe 2025 talk 'SCOMmand and Conquer' which will detail default configuration weaknesses and domain compromise paths.

SRFApplicationSRFNetworkVNDMicrosoftTYPResearchTYPToolSTGDiscoverySTGLat Movement
72
Edit Score
2025-12-09
2025-12-09 16:18Z
HIGH

CVE-2025-67518 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-67518

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection.This issue affects Accordion Slider PRO: from n/a through <= 1.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-12-09
2025-12-09 16:18Z
HIGH

CVE-2025-67517 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-67517

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-12-09
2025-12-09 16:18Z
HIGH

CVE-2025-67516 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-67516

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-12-09
2025-12-09 16:18Z
HIGH

CVE-2025-67515 — Qodeinteractive Wilmer: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-67515

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5. CVSSv3.1 8.8 (HIGH)

CWECWE 98VNDQodeinteractiveTYPVulnerability
8.8
CVSS v3.1
94
Edit Score