Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-55182-research — CVE-2025-55182 POC
CVE-2025-55182 is a critical RCE vulnerability in React's Flight Protocol affecting versions 19.0.0–19.2.0 and Next.js 15.x–16.x. The exploit chains path traversal via `$1:constructor:constructor`, fake chunk injection with self-referential thenable objects, and `$B` handler abuse to reach the Function constructor and execute arbitrary code. Patches are available in React 19.0.1+, 19.1.2+, 19.2.1+ and corresponding Next.js releases.
CVE-2025-55182 — Explanation and full RCE PoC for CVE-2025-55182
CVE-2025-55182 is a critical prototype pollution vulnerability in React Server Functions (Next.js) that allows unauthenticated remote code execution via the React Flight Protocol deserialization. The vulnerability stems from insufficient validation during chunk reference resolution, enabling attackers to access the Function constructor and chain gadgets through blob deserialization to achieve arbitrary code execution before action validation occurs.
AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows
Trend Micro Research disclosed GhostPenguin, a previously undocumented Linux backdoor written in C++ that evaded detection for over four months on VirusTotal. The malware was discovered through AI-automated threat hunting and provides remote shell access, file operations, and C&C communication via RC5-encrypted UDP channels. Analysis reveals the backdoor is still in active development with debug artifacts and unused persistence functions.
react2shell-scanner — High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478)
Assetnote released react2shell-scanner, a Python tool for detecting critical RCE vulnerabilities (CVE-2025-55182 and CVE-2025-66478) in Next.js applications using React Server Components. The scanner executes a deterministic PoC payload and detects vulnerability via response header reflection, with optional safe-check mode, WAF bypass techniques, and multi-threaded scanning capabilities.
Nuclei Templates v10.3.5 - Release Notes
Nuclei Templates v10.3.5 adds 57 new detection templates covering 33 CVEs, with critical focus on React Server Components RCE (CVE-2025-55182), WordPress plugin vulnerabilities (auth bypass, arbitrary file upload, privilege escalation), and PrestaShop/CMS exploits. The release includes bug fixes reducing false positives/negatives and enhanced detection accuracy across WordPress ecosystem, PHP applications, and infrastructure services.
CVE-2025-14126 — Such manipulation leads to hard-coded credentials.
A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 12th percentile
CVE-2025-12673 — Flex: The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads
The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-55182 — RSC/Next.js RCE Vulnerability Detector & PoC Chrome Extension – CVE-2025-55182 & CVE-2025-66478
A public GitHub repository released a Chrome extension and Shodan scanner toolkit for detecting and exploiting CVE-2025-55182 and CVE-2025-66478, critical RCE vulnerabilities in React Server Components (RSC) and Next.js applications. The toolkit includes automated vulnerability detection, proof-of-concept exploitation capabilities, and a CORS-bypass proxy for remote testing.
CVE-2025-34291 — Langflow Langflow: versions up to and including 1.6.9 contain a chained vulnerability that enables account
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_t CVSSv3.1 8.8 (HIGH) · EPSS 93th percentile
Ghostwriter v6.1 — Playing Fetch with BloodHound
SpecterOps released Ghostwriter v6.1, introducing native BloodHound integration that allows direct import of BloodHound data and findings into assessment projects. The release also adds collaborative project notes, improved caption editor objects, dark mode, expanded SSO/MFA options including WebAuthn groundwork, and programmatic evidence downloads via GraphQL.
CVE-2025-64054 — Fanvil X210_firmware: A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers
A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint. CVSSv3.1 9.6 (CRITICAL) · EPSS 32th percentile
CVE-2025-64057 — Fanvil X210_firmware: Directory traversal vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local
Directory traversal vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store files in arbitrary locations and potentially modify the system configuration or other unspecified impacts. CVSSv3.1 8.3 (HIGH) · EPSS 52th percentile
React2Shell-CVE-2025-55182-original-poc — Original Proof-of-Concepts for React2Shell CVE-2025-55182
Original proof-of-concept code for CVE-2025-55182 affecting React2Shell has been publicly released on GitHub by the original discoverer. The vulnerability allows remote code execution through a promise-chain gadget attack that manipulates Chunk objects and leverages the `_formData` gadget chain in Next.js/React environments. Public variants are already in circulation and integrated into Google's Tsunami security scanner.
RSC_Detector — Supports RSC fingerprinting and exploitation of the React component vulnerability CVE-2025-55182.
RSC_Detector is a Chrome extension that performs passive and active fingerprinting of React Server Components (RSC) and Next.js App Router implementations, with exploitation capabilities for CVE-2025-55182. The tool uses multiple detection methods including Content-Type analysis, header inspection, and React Flight Protocol pattern matching to identify vulnerable RSC deployments.
CVE-2025-12374 — Email: The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login
The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a v CVSSv3.1 9.8 (CRITICAL)
CVE-2025-12181 — ContentStudio: The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing
The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2025-67910 is likely a duplicate of this. CVSSv3.1 8.8 (HIGH)
CVE-2025-13313 — CRM: The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset
The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.6. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user's emai CVSSv3.1 9.8 (CRITICAL)
Critical React Server Components Vulnerability CVE-2025-55182: What Security Teams Need to Know
CVE-2025-55182 is a critical pre-authentication RCE (CVSS 10.0) in React Server Components affecting React 19.x, Next.js 15.x/16.x, and related frameworks. The vulnerability stems from unsafe deserialization of HTTP payloads in Server Function endpoints, allowing unauthenticated attackers to execute arbitrary code with a single malicious POST request. Active exploitation in the wild has been observed targeting financial services, technology, and e-commerce sectors.
v3.6.0
Nuclei v3.6.0 released with new features including resume file writing, JavaScript multi-port support, direct fuzzing for OpenAPI/Swagger specs, .NET deserialization DSL helpers, and persistent metadata caching. The release includes bug fixes for DNS lookups, parallel processing restoration, and various dependency updates.
CVE-2025-29269 — Allnet All-rut22gw_firmware: ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the
ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint. CVSSv3.1 9.8 (CRITICAL) · EPSS 82th percentile
CVE-2025-29268 — Allnet All-rut22gw_firmware: ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library.
ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library. CVSSv3.1 9.8 (CRITICAL) · EPSS 94th percentile
CVE-2025-66287 — WebKitGTK: A flaw was found in WebKitGTK.
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling. CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile
Arista NextGen Firewall XSS to RCE Chain
Bishop Fox disclosed a critical vulnerability chain in Arista Next Generation Firewalls affecting three CVEs: CVE-2025-6980 (information disclosure exposing VPN credentials), CVE-2025-6979 (reflected XSS for credential theft), and CVE-2025-6978 (command injection for RCE). Researchers confirmed the XSS-to-RCE chain is exploitable in real-world conditions and that Arista's patch for CVE-2025-6978 does not fully remediate the underlying issues, leaving administrator-level exploitation possible.
Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks
Volexity documents ongoing campaigns by Russian APT UTA0355 abusing Microsoft 365 OAuth and Device Code authentication workflows to phish credentials from targeted users. The threat actor creates fake websites impersonating legitimate European security conferences (Belgrade Security Conference, Brussels Indo-Pacific Dialogue), uses rapport-building phishing, compromised accounts, and out-of-band communication via WhatsApp/Signal to socially engineer victims into granting unauthorized account access.
CVE-2025-64055 — Fanvil X210_firmware: file upload, firmware update, reboot...) via a crafted authentication bypass.
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass. CVSSv3.1 9.8 (CRITICAL) · EPSS 40th percentile