Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-10850 — Felan: The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up
The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplica CVSSv3.1 9.8 (CRITICAL)
Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing
Trend Micro reports a significant decline in Lumma Stealer (Water Kurita) activity following a targeted doxxing campaign in late August–October 2025 that exposed alleged core members' personal and operational details, coinciding with Telegram account compromise on September 17. The disruption has triggered a migration of customers to competing infostealer MaaS platforms, primarily Vidar and StealC, while related services like Amadey saw reduced activity. The incident illustrates the volatile nature of the cybercriminal ecosystem where dominance attracts both law enforcement and rival threat actors.
CVE-2025-9967 — Orion: The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via
The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number CVSSv3.1 9.8 (CRITICAL)
CVE-2025-10299 — Instant: The WPBifröst – Instant Passwordless Temporary Login Links plugin for WordPress is vulnerable to
The WPBifröst – Instant Passwordless Temporary Login Links plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ctl_create_link AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts and subsequently log in as those. CVSSv3.1 8.8 (HIGH)
CVE-2025-10041 — Flex: The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads
The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL)
Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits
Trend Micro disclosed Operation Zero Disco, an active campaign exploiting Cisco SNMP vulnerability CVE-2025-20352 to achieve remote code execution and deploy persistent rootkits on Cisco 9400, 9300, and legacy 3750G switches. The rootkit establishes universal passwords, hooks IOSd memory for authentication bypass, enables lateral movement across VLANs via ARP spoofing, and provides a UDP controller for log manipulation, configuration hiding, and VTY ACL bypass.
ProtectMyTooling — Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry. Featured
ProtectMyTooling is a multi-packer wrapper framework that chains together various PE obfuscators, packers, and shellcode loaders to produce evasion-hardened red team implants. The tool supports 30+ packers (both commercial and open-source), includes artifact watermarking, IOC collection, and PE backdooring capabilities, with a GUI and Cobalt Strike integration.
CVE-2025-49552 — Adobe Connect: versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS)
Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a high-privileged attacker to execute malicious scripts in a victim's browser. Exploitation of this issue requires user interaction in that a victim must navigate to a crafted web page. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Scope is changed. CVSSv3.1 8.1 (HIGH)
CVE-2025-59249 — Microsoft Exchange_server: Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over
Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. CVSSv3.1 8.8 (HIGH) · EPSS 32th percentile
CVE-2025-53782 — Microsoft Exchange_server: Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to
Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally. CVSSv3.1 8.4 (HIGH) · EPSS 22th percentile
CVE-2025-11721 — Mozilla Firefox: This bug showed evidence of memory corruption and we presume that with enough effort
Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144 and Thunderbird 144. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-11720 — Mozilla Firefox: The Firefox and Firefox Focus UI for the Android custom tab feature only showed
The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144. CVSSv3.1 8.1 (HIGH)
CVE-2025-11719 — Mozilla Firefox: Starting in Thunderbird 143, the use of the native messaging API by web extensions
Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability was fixed in Firefox 144 and Thunderbird 144. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-11717 — Mozilla Firefox: When switching between Android apps using the card carousel Firefox shows a black screen
When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-11715 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSSv3.1 8.8 (HIGH)
CVE-2025-11714 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSSv3.1 8.8 (HIGH)
CVE-2025-11713 — Mozilla Firefox: Insufficient escaping in the “Copy as cURL” feature could have been used to trick
Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-11710 — Mozilla Firefox: A compromised web process using malicious IPC messages could have caused the privileged browser
A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-11709 — Mozilla Firefox: A compromised web process was able to trigger out of bounds reads and writes
A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-11708 — Mozilla Firefox: Use-after-free in MediaTrackGraphImpl::GetInstance().
Use-after-free in MediaTrackGraphImpl::GetInstance(). This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-10610 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting Information Processing Industry and Foreign Trade Inc. Winsure allows Blind SQL Injection. This issue affects Winsure: through Version dated 21.08.2025. CVSSv3.1 9.8 (CRITICAL) · EPSS 12th percentile
SaaS Threats are Escalating: A Follow-Up to Our Recent Analysis
Bishop Fox published follow-up analysis on two concurrent threat actors targeting SaaS platforms: UNC6040 (ShinyHunters/Scattered Spider) using credential attacks and OAuth phishing, and UNC6395 (suspected nation-state) exploiting integration weaknesses for lateral movement. Campaigns have expanded from Salesforce to Google Workspace and Microsoft 365, with attackers abusing OAuth device code flow to bypass MFA and targeting administrators via LinkedIn reconnaissance and voice phishing.
CVE-2025-10228 — Session: Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking.
Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking. This issue affects Agentis: before 4.44. CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile
CVE-2025-6919 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cats Information Technology Software Development Technologies Aykome License Tracking System allows SQL Injection. This issue affects Aykome License Tracking System: before Version dated 06.10.2025. CVSSv3.1 9.8 (CRITICAL) · EPSS 12th percentile
CVE-2025-60306 — Code-projects Simple_car_rental_system: Simple Car Rental System 1.0 has a permission bypass issue where low privilege
code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations. CVSSv3.1 9.9 (CRITICAL) · EPSS 30th percentile