Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-64055 — Fanvil X210_firmware: file upload, firmware update, reboot...) via a crafted authentication bypass.
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass. CVSSv3.1 9.8 (CRITICAL) · EPSS 40th percentile
CVE-2025-57201 — Avtech Dgm1104_firmware: SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. CVSSv3.1 8.8 (HIGH)
CVE-2025-57199 — Avtech Dgm1104_firmware: SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input. CVSSv3.1 8.8 (HIGH) · EPSS 86th percentile
CVE-2025-57198 — Avtech Dgm1104_firmware: SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input. CVSSv3.1 8.8 (HIGH) · EPSS 82th percentile
Nuclei Templates v10.3.4 - Release Notes
Nuclei Templates v10.3.4 release adds 68 new detection templates covering 27 CVEs, including critical RCE, XXE, auth-bypass, and file-upload vulnerabilities across Oracle Identity Manager, GeoServer, Eclipse BIRT, Zoho ManageEngine, and WordPress plugins. The release includes templates for recent 2025 CVEs (Astro XSS, Oracle auth-bypass, GeoServer XXE) alongside older critical flaws, with bug fixes addressing false negatives in log-file detection and false positives in WordPress theme checks.
PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
Trend Micro disclosed an active PureRAT campaign targeting job seekers via spear-phishing emails containing weaponized archives. The attack chain abuses Foxit PDF Reader through DLL side-loading (msimg32.dll), deploys a hidden Python environment via nested directory obfuscation, and achieves persistence through registry autorun entries. The RAT exfiltrates browser credentials and maintains C&C communication using self-signed certificates with anomalous validity periods.
Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp
Water Saci threat actors are deploying a sophisticated multi-stage banking trojan campaign targeting Brazilian users via WhatsApp, leveraging AI-converted Python automation scripts alongside HTA/ZIP/PDF delivery vectors. The infection chain combines obfuscated VB scripts, MSI installers, AutoIt loaders, and encrypted PE payloads with process hollowing into svchost.exe, coupled with aggressive reconnaissance of banking applications, browser history, antivirus software, and cryptocurrency wallets. The malware exhibits behavioral continuity with the Casbaneiro/Metamorfo lineage while introducing enhanced evasion techniques including custom RC4-like encryption, LZNT1 decompression, anti-sandbox VM detection, and persistent window-title monitoring to trigger credential theft during banking sessions.
CVE-2025-51683 — Mjobtime Mjobtime: A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute
A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint . CVSSv3.1 9.8 (CRITICAL) · EPSS 33th percentile
CVE-2025-51682 — Mjobtime Mjobtime: 15.7.2 handles authorization on the client side, which allows an attacker to modify
mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly. CVSSv3.1 9.8 (CRITICAL) · EPSS 31th percentile
CVE-2025-57489 — Shirt-pocket Superduper\!: Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper!
Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary. CVSSv3.1 8.1 (HIGH) · EPSS 23th percentile
v10.3.3
Nuclei-templates v10.3.3 released with automated checksum generation. This is a routine maintenance release of the ProjectDiscovery template library used for vulnerability scanning.
Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems
Shai-hulud 2.0 is an active supply-chain worm targeting NPM package maintainers, stealing credentials from AWS/GCP/Azure, GitHub tokens, and NPM authentication, then automatically backdooring all victim-maintained packages with malicious payloads. The malware establishes C&C via GitHub Actions workflows and self-hosted runners, enabling command execution and secret exfiltration at scale across the NPM ecosystem. Hundreds of repositories were compromised in a November 24 incident, with the worm capable of exponential propagation to downstream users.
CVE-2025-50433 — Monnit Imonnit: An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges
An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts. CVSSv3.1 9.8 (CRITICAL) · EPSS 35th percentile
CVE-2025-65669 — Classroomio Classroomio: An issue was discovered in classroomio 0.1.13.
An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction. CVSSv3.1 9.1 (CRITICAL) · EPSS 40th percentile
CVE-2025-61168 — Sigb Pmb: An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute
An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. CVSSv3.1 9.8 (CRITICAL) · EPSS 38th percentile
CVE-2025-65085 — Ashlar Argon: A Heap-based Buffer Overflow vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and
A Heap-based Buffer Overflow vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code. CVSSv3.1 9.8 (CRITICAL) · EPSS 31th percentile
CVE-2025-65084 — Ashlar Argon: An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt
An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code. CVSSv3.1 9.8 (CRITICAL) · EPSS 37th percentile
Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS
SpecterOps released RelayInformer, a Python tool and Cobalt Strike BOF suite that enumerates Extended Protection for Authentication (EPA) enforcement across MSSQL, HTTP/S, and LDAPS services. The research demonstrates methodologies for detecting all three EPA enforcement levels (Disabled, Allowed/When Supported, Required) by manipulating NTLM AV pairs and analyzing server responses, enabling attackers to determine relay feasibility before investing in coercion and tunneling infrastructure.
Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)
watchTowr researchers discovered 80,000+ saved JSON/code snippets on public formatter websites (JSONFormatter.org, CodeBeautify.org) containing thousands of exposed secrets including Active Directory credentials, API keys, cloud environment keys, private keys, and sensitive PII from critical infrastructure, government, finance, banking, and cybersecurity organizations. The researchers exploited trivial enumeration of sequential IDs and public "Recent Links" pages to systematically extract credentials, database passwords, CI/CD pipeline tokens, and full KYC banking data across a 5-year historical window.
CVE-2025-56400 — Tuya Smartlife: Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. CVSSv3.1 8.8 (HIGH) · EPSS 3th percentile
CVE-2025-13609 — This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls. CVSSv3.1 8.2 (HIGH) · EPSS 30th percentile
An Evening with Claude (Code)
Adam Chester (SpecterOps) discovered CVE-2025-64755, a remote code execution vulnerability in Claude Code v2.0.25 via sed expression injection. The vulnerability allowed attackers to write arbitrary files (including shell initialization files) through prompt injection, bypassing regex-based command filtering. Anthropic patched the issue in v2.0.31 within 7 days of disclosure.
CVE-2025-66095 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows SQL Injection.This issue affects KiviCare: from n/a through <= 3.6.13. CVSSv3.1 8.5 (HIGH)
CVE-2025-64759 — Homarr Homarr: Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript
Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to th CVSSv3.1 8.1 (HIGH)
SCCM Hierarchy Takeover via Entra Integration…Because of the Implication
SpecterOps disclosed a critical authentication bypass in Microsoft SCCM's Entra ID integration (prior to KB5360093) that allows unauthenticated attackers to impersonate privileged accounts and achieve full hierarchy takeover. The vulnerability stems from insufficient authorization checks in the AdminService REST API—the service validates Entra tokens but trusts UPN claims without verifying the token's associated AD account exists or has appropriate permissions, enabling attackers to craft tokens with spoofed UPNs of site server machine accounts or privileged admins. The attack requires AD domain verification in Entra and ability to manipulate UPNs, but once achieved, grants complete administrative control over the SCCM infrastructure.