Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
SCCM Hierarchy Takeover via Entra Integration…Because of the Implication
SpecterOps disclosed a critical authentication bypass in Microsoft SCCM's Entra ID integration (prior to KB5360093) that allows unauthenticated attackers to impersonate privileged accounts and achieve full hierarchy takeover. The vulnerability stems from insufficient authorization checks in the AdminService REST API—the service validates Entra tokens but trusts UPN claims without verifying the token's associated AD account exists or has appropriate permissions, enabling attackers to craft tokens with spoofed UPNs of site server machine accounts or privileged admins. The attack requires AD domain verification in Entra and ability to manipulate UPNs, but once achieved, grants complete administrative control over the SCCM infrastructure.
Fortinet FortiWeb Authentication Bypass – CVE-2025-64446
Bishop Fox disclosed CVE-2025-64446, a critical authentication bypass in Fortinet FortiWeb that allows unauthenticated attackers to create administrative accounts via a single HTTP POST request combining path traversal and a forged CGIINFO header. The vulnerability affects multiple versions (7.0.x, 7.2.x, 7.4.x, 7.6.x, 8.0.x) and is actively exploited in the wild; Fortinet patched it by restricting cgi-bin access in httpd.conf. Bishop Fox released a public scanner and detailed exploit analysis including version-specific vulnerability matrix.
CVE-2025-32463_chwoot — Escalation of Privilege to the root through sudo binary with chroot option. CVE-2025-32463
CVE-2025-32463 is a privilege escalation vulnerability in sudo versions 1.9.14–1.9.17 affecting the chroot (-R) option, allowing unprivileged users to escalate to root. A public proof-of-concept exploit with Docker reproduction environment has been released, demonstrating reliable root shell access on vulnerable systems.
CVE-2025-10437 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. Webpack Management System allows SQL Injection. This issue affects Webpack Management System: through 20251119. CVSSv3.1 9.8 (CRITICAL) · EPSS 11th percentile
CVE-2025-13069 — Enable: The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary
The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.3. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitization while being accepted as a valid ICO file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's s CVSSv3.1 8.8 (HIGH)
Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses
Trend Micro research documents five S3 ransomware variants targeting AWS environments, ranging from KMS-based encryption attacks to exfiltration-and-deletion tactics. The variants exploit misconfigured IAM policies, leaked credentials, and lesser-known AWS features like SSE-C, external key material imports, and External Key Store (XKS) to render victim data permanently inaccessible. The research includes defensive policy recommendations to restrict dangerous encryption and key management operations.
CVE-2025-63748 — Testmanagement Qatraq: 6.9.2 allows authenticated users to upload arbitrary files via the "Add Attachment" feature
QaTraq 6.9.2 allows authenticated users to upload arbitrary files via the "Add Attachment" feature in the "Test Script" module. The application fails to restrict file types, enabling the upload of executable PHP files. Once uploaded, the file can be accessed through the "View Attachment" option, which executes the PHP payload on the server. CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile
CVE-2025-63747 — Testmanagement Qatraq: 6.9.2 ships with administrative account credentials which are enabled in default installations and
QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access. CVSSv3.1 9.8 (CRITICAL) · EPSS 33th percentile
AMSI-Bypass-via-Page-Guard-Exceptions — Shellcode and In-PowerShell solution for patching AMSI via Page Guard Exceptions
A GitHub repository containing shellcode and in-PowerShell implementations for bypassing Windows Antimalware Scan Interface (AMSI) via page guard exceptions. The technique leverages vectored exception handling to intercept AmsiScanBuffer calls and force clean scan results by manipulating exception handlers and memory protection flags.
CVE-2025-63680 — Nero Backitup: in the Nero Productline is vulnerable to a path parsing/UI rendering flaw
Nero BackItUp in the Nero Productline is vulnerable to a path parsing/UI rendering flaw (CWE-22) that, in combination with Windows ShellExecuteW fallback extension resolution, leads to arbitrary code execution when a user clicks a crafted entry. By creating a trailing-dot folder and placing a same-basename script, Nero BackItUp renders the file as a folder icon and then invokes ShellExecuteW, which executes the script via PATHEXT fallback (.COM/.EXE/.BAT/.CMD). The issue affe CVSSv3.1 8.6 (HIGH) · EPSS 2th percentile
v3.5.1
Nuclei v3.5.1 released with a single maintenance commit removing genproto replace directives from go.mod. This is a minor patch release with no security fixes or feature additions.
v3.5.0
Nuclei v3.5.0 released with new features including JSON/XPath headless extractors, VNC authentication, SSH keyboard-interactive support, and Docker execution support. The release includes numerous bug fixes addressing memory leaks, template loading issues, and performance optimizations for concurrent template handling and HTTP probing.
When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446)
watchTowr Labs disclosed CVE-2025-64446, a critical authentication bypass in Fortinet FortiWeb affecting versions 6.3–8.0.1. The vulnerability chains a path traversal in the API endpoint with an impersonation mechanism in the fwbcgi binary that accepts arbitrary user credentials via a Base64-encoded CGIINFO HTTP header, allowing unauthenticated attackers to assume admin privileges and create persistent backdoor accounts. The vulnerability is actively exploited in the wild; Fortinet silently patched it in version 8.0.2 without explicit advisory, and has now released CVE-2025-64446 with patch guidance.
CVE-2025-8855 — Authorization: Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information. This issue affects Brokerage Automation: before 1.1.71. CVSSv3.1 8.1 (HIGH) · EPSS 19th percentile
Redefining Enterprise Defense in the Era of AI-Led Cyberattacks
Trend Micro research documents the evolution of AI-driven cyberattacks, highlighting a China-aligned group's exploitation of Anthropic's Claude Code to autonomously target 30+ organizations globally through jailbreaking and agentic AI orchestration. The report details how threat actors are progressing from using GenAI for code generation to deploying autonomous AI agents that automate reconnaissance, exploitation, credential harvesting, and data exfiltration with minimal human intervention. The analysis projects a shift toward "Cybercrime as a Servant" models where agentic AI systems manage entire attack campaigns, requiring defenders to adopt similarly automated, agentic defense architectures.
CVE-2025-60679 — Dlink Dir-816_firmware: A stack buffer overflow vulnerability exists in the D-Link DIR-816A2 router firmware DIR-816A2_FWv1.10CNB05_R1B011D88210.img in
A stack buffer overflow vulnerability exists in the D-Link DIR-816A2 router firmware DIR-816A2_FWv1.10CNB05_R1B011D88210.img in the upload.cgi module, which handles firmware version information. The vulnerability occurs because /proc/version is read into a 512-byte buffer and then concatenated using sprintf() into another 512-byte buffer containing a 29-byte constant. Input exceeding 481 bytes triggers a stack buffer overflow, allowing an attacker who can control /proc/versio CVSSv3.1 8.8 (HIGH) · EPSS 44th percentile
CVE-2025-60696 — Linksys Re7000_firmware: A stack-based buffer overflow vulnerability exists in the makeRequest.cgi binary of Linksys RE7000 routers
A stack-based buffer overflow vulnerability exists in the makeRequest.cgi binary of Linksys RE7000 routers (Firmware FW_v2.0.15_211230_1012). The arplookup function parses lines from /proc/net/arp using sscanf("%16s ... %18s ..."), storing results into buffers v6 (12 bytes) and v7 (20 bytes). Since the format specifiers allow up to 16 and 18 bytes respectively, oversized input can overflow the buffers, resulting in stack corruption. Local attackers controlling /proc/net/arp c CVSSv3.1 8.4 (HIGH) · EPSS 12th percentile
CVE-2025-60692 — Linksys E1200_firmware: A stack-based buffer overflow vulnerability exists in the libshared.so library of Cisco Linksys E1200
A stack-based buffer overflow vulnerability exists in the libshared.so library of Cisco Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The functions get_mac_from_ip and get_ip_from_mac use sscanf with overly permissive "%100s" format specifiers to parse entries from /proc/net/arp into fixed-size buffers (v6: 50 bytes, v7 sub-arrays: 50 bytes). This allows local attackers controlling the contents of /proc/net/arp to overflow stack buffers, leading to memory c CVSSv3.1 8.4 (HIGH) · EPSS 12th percentile
CVE-2025-60691 — Linksys E1200_firmware: A stack-based buffer overflow exists in the httpd binary of Linksys E1200 v2 routers
A stack-based buffer overflow exists in the httpd binary of Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The apply_cgi and block_cgi functions copy user-supplied input from the "url" CGI parameter into stack buffers (v36, v29) using sprintf without bounds checking. Because these buffers are allocated as single-byte variables, any non-empty input will trigger a buffer overflow. Remote attackers can exploit this vulnerability via crafted HTTP requests to exe CVSSv3.1 8.8 (HIGH) · EPSS 50th percentile
CVE-2025-60690 — Linksys E1200_firmware: A stack-based buffer overflow exists in the get_merge_ipaddr function of the httpd binary on
A stack-based buffer overflow exists in the get_merge_ipaddr function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to four user-supplied CGI parameters matching <parameter>_0~3 into a fixed-size buffer (a2) without bounds checking. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication. CVSSv3.1 8.8 (HIGH) · EPSS 91th percentile
Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics
Trend Micro reports a resurgence in Lumma Stealer (Water Kurita) activity since October 20, 2025, following the doxxing of its core members. The malware now employs adaptive browser fingerprinting via JavaScript payloads to profile victim environments (system specs, hardware, WebGL, canvas, WebRTC data) while maintaining traditional C&C protocols, enabling enhanced evasion, selective payload deployment, and detection avoidance through legitimate browser process injection.
CVE-2025-56385 — Wellsky Harmony: A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83
A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents. CVSSv3.1 9.8 (CRITICAL) · EPSS 36th percentile
CVE-2025-59088 — If kdcproxy receives a request for a realm which does not have server addresses
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability ca CVSSv3.1 8.6 (HIGH) · EPSS 32th percentile
Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101)
watchTowr Labs disclosed two vulnerabilities in Citrix NetScaler: WT-2025-0089, a memory leak triggered by misconfiguring an AAA virtual server without enabling the AAA feature (no CVE assigned due to low real-world likelihood), and WT-2025-0090, a reflected XSS in the SAML RelayState parameter (CVE-2025-12101). The XSS is exploitable via CSRF when a valid SAMLResponse is paired with a crafted RelayState parameter containing injected HTML/JavaScript.
The November 2025 Security Update Review
November 2025 patch Tuesday from Microsoft (63 CVEs, 4 Critical) and Adobe (29 CVEs across 8 products). Microsoft's CVE-2025-62215 is under active exploitation as a Windows kernel race-condition EoP; CVE-2025-60724 (GDI+ RCE, CVSS 9.8) allows unauthenticated network code execution via malformed metafiles; CVE-2025-62222 introduces the first documented Agentic AI RCE in Visual Studio Code. Azure Monitor Agent (CVE-2025-59504) permits unauthenticated RCE without user interaction.