Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-43433 — Apple Safari: Processing maliciously crafted web content may lead to memory corruption.
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to memory corruption. CVSSv3.1 8.8 (HIGH)
CVE-2025-0987 — Authorization: Bypass Through User-Controlled Key vulnerability in CB Project Ltd.
Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection. This issue affects CVLand: from 2.1.0 through 20251103. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.9 (CRITICAL) · EPSS 19th percentile
365-Stealer — 365-Stealer is a phishing simualtion tool written in python3. It can be used to execute Illicit Consent Grant Attack.
365-Stealer is a publicly available Python3 tool that automates illicit consent grant attacks against Microsoft 365/Azure AD environments. The tool enables attackers to register malicious applications, trick users into granting permissions, steal refresh tokens, and subsequently access victim emails, OneDrive files, OneNote data, and perform lateral movement actions like creating Outlook rules and sending emails on behalf of victims.
CVE-2025-6520 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Abis Technology BAPSIS allows Blind SQL Injection. This issue affects BAPSIS: before 202510271606. CVSSv3.1 9.8 (CRITICAL) · EPSS 12th percentile
CVE-2025-56399 — alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution
alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server CVSSv3.1 8.8 (HIGH) · EPSS 42th percentile
CVE-2025-12380 — Mozilla Firefox: Starting with Firefox 142, it was possible for a compromised child process to trigger
Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability was fixed in Firefox 144.0.2. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-55754 — Apache Tomcat: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker control CVSSv3.1 9.6 (CRITICAL) · EPSS 31th percentile
CVE-2023-49440 — AhnLab: EPP 1.0.15 is vulnerable to SQL Injection via the "preview parameter."
AhnLab EPP 1.0.15 is vulnerable to SQL Injection via the "preview parameter." CVSSv3.1 8.8 (HIGH) · EPSS 24th percentile
CVE-2025-12235 — Tenda Ch22_firmware: The manipulation of the argument page results in buffer overflow.
A vulnerability was found in Tenda CH22 1.0.0.1. This vulnerability affects the function fromSetIpBind of the file /goform/SetIpBind. The manipulation of the argument page results in buffer overflow. The attack must originate from the local network. The exploit has been made public and could be used. CVSSv3.1 8.0 (HIGH) · EPSS 37th percentile
Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C
Trend Micro disclosed an active Water Saci malware campaign spreading via WhatsApp that employs a new script-based infection chain using VBS downloaders and PowerShell payloads to hijack WhatsApp Web sessions, harvest contacts, and establish persistent botnet control. The malware features a sophisticated dual-channel C&C architecture combining email-based (IMAP) infrastructure with HTTP polling, multi-vector persistence mechanisms, and real-time remote command capabilities including pause/resume functionality for coordinated attacks across multiple machines. The campaign targets Portuguese-language systems in Brazil with anti-analysis checks and is likely linked to the Coyote banking trojan, representing an evolution in Brazilian cybercriminal tactics from compiled binaries to browser automation and social engineering at scale.
CVE-2025-12028 — IndieAuth: The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a use CVSSv3.1 8.8 (HIGH)
CVE-2025-11253 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aksis Technology Inc. Netty ERP allows SQL Injection. This issue affects Netty ERP: before V.1.1000. CVSSv3.1 9.8 (CRITICAL) · EPSS 12th percentile
autobloody — Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound
autobloody is a Python tool that automates Active Directory privilege escalation exploitation by parsing BloodHound graph data and executing attack chains via the bloodyAD package. It uses Neo4j's Dijkstra algorithm to identify optimal privesc paths, then automatically executes them against domain controllers using LDAP, supporting multiple authentication methods (cleartext, pass-the-hash, pass-the-ticket, certificates).
CVE-2025-11023 — Inclusion: AcBakImzala allows PHP Local File Inclusion.
Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ArkSigner Software and Hardware Inc. AcBakImzala allows PHP Local File Inclusion. This issue affects AcBakImzala: before v5.1.4. CVSSv3.1 9.8 (CRITICAL) · EPSS 36th percentile
Pwn2Own Ireland 2025: Day Three and Master of Pwn
Pwn2Own Ireland 2025 concluded with 73 unique 0-day vulnerabilities disclosed across three days, awarding $1,024,750 in total bounties. The Summoning Team won Master of Pwn with successful exploits spanning multiple device categories including smartphones, IoT devices, printers, and smart home systems. Notable wins included Samsung Galaxy S25 camera/location hijacking via improper input validation, QNAP NAS takeover via hardcoded credentials and injection, and Phillips Hue Bridge compromise through authentication bypass and heap overflow chains.
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Trend Micro Research documented a sophisticated Agenda ransomware campaign (attributed to Qilin) that deployed Linux-based ransomware on Windows systems via legitimate remote management tools (Splashtop, WinSCP, ScreenConnect, AnyDesk) combined with BYOVD defense evasion techniques. The attack chain leveraged fake CAPTCHA social engineering for initial access, credential harvesting from Veeam backup infrastructure, and cross-platform execution through Windows Subsystem for Linux (WSL). Since January 2025, Agenda has compromised over 700 victims across 62 countries, with heavy targeting of manufacturing, technology, financial services, and healthcare sectors.
Impacket 0.13.0
Impacket 0.13.0 released with major SMB client/server refactoring, enhanced LDAP/Kerberos handling including channel binding and LDAPS-based LAPS retrieval, expanded relay attack capabilities (WinRMS, SCCM, RPC), and new offensive examples including AD CS "bad successor" attack and LSA secrets extraction. The release adds 50 commits with improvements to authentication, relay tooling, and remote access utilities across Windows domain attack surfaces.
CVE-2025-62023 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This
Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905. CVSSv3.1 9.0 (CRITICAL)
CVE-2025-60238 — Deserialization: of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.04.02. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-60227 — Thimpress Wp_pipes: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3. CVSSv3.1 8.6 (HIGH)
CVE-2025-60041 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3. CVSSv3.1 8.8 (HIGH)
CVE-2025-59557 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Learts Addons learts-addons allows SQL Injection.This issue affects Learts Addons: from n/a through < 1.7.5. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-59007 — Deserialization: of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor
Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-58967 — Thememove Businext: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Businext businext allows PHP Local File Inclusion.This issue affects Businext: from n/a through < 2.4.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-58963 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9. CVSSv3.1 10.0 (CRITICAL)