Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-6919 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cats Information Technology Software Development Technologies Aykome License Tracking System allows SQL Injection. This issue affects Aykome License Tracking System: before Version dated 06.10.2025. CVSSv3.1 9.8 (CRITICAL) · EPSS 12th percentile
CVE-2025-60306 — Code-projects Simple_car_rental_system: Simple Car Rental System 1.0 has a permission bypass issue where low privilege
code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations. CVSSv3.1 9.9 (CRITICAL) · EPSS 30th percentile
CVE-2025-60307 — Carmelo Computer_laboratory_system: code-projects Computer Laboratory System 1.0 has a SQL injection vulnerability, where entering a universal
code-projects Computer Laboratory System 1.0 has a SQL injection vulnerability, where entering a universal password in the Password field on the login page can bypass login attempts. CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile
CVE-2025-60305 — Senior-walter Online_student_clearance_system: SourceCodester Online Student Clearance System 1.0 is vulnerable to Incorrect Access Control.
SourceCodester Online Student Clearance System 1.0 is vulnerable to Incorrect Access Control. The application contains a logic flaw which allows low privilege users can forge high privileged sessions and perform sensitive operations. CVSSv3.1 8.8 (HIGH) · EPSS 32th percentile
CVE-2025-60378 — Fairsketch Rise_ultimate_project_manager: Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to
Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients. CVSSv3.1 8.1 (HIGH) · EPSS 61th percentile
CVE-2025-52650 — Hcltech Aion: Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0 CVSSv3.1 8.2 (HIGH) · EPSS 11th percentile
CVE-2025-11522 — Search: The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to
The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled. CVE-2025-62064 is likely a duplicate of this CVE. CVSSv3.1 9.8 (CRITICAL)
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend Micro and ZDI researchers identified a large-scale RondoDox botnet campaign actively exploiting over 50 vulnerabilities across 30+ vendors since mid-2025, including flaws first disclosed at Pwn2Own competitions. The campaign uses a "shotgun" approach targeting internet-exposed routers, DVRs, NVRs, CCTV systems, and web servers with command-injection exploits, deploying multiarchitecture payloads and co-packaging with Mirai/Morte variants. Multiple CVEs are now in CISA's Known Exploited Vulnerabilities catalog, with evidence of rapid growth via loader-as-a-service infrastructure.
Weaponized AI Assistants & Credential Thieves
Trend Micro documents two escalating NPM supply-chain attacks: 's1ngularity' malware that weaponizes local AI CLI tools (Gemini, Claude) to harvest credentials via prompt injection, followed by 'Shai-Hulud', a self-propagating worm that compromises maintainer accounts and uses TruffleHog to locate publishing tokens, then automatically republishes infected packages across 187+ packages including CrowdStrike developer tools. The attacks demonstrate a shift toward fully automated, token-driven supply-chain propagation requiring no human intervention after initial compromise.
CVE-2025-57457 — Command: An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows
An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the "IP Addr" parameter. CVSSv3.1 8.8 (HIGH) · EPSS 63th percentile
ResourcePoison — Writeup and exploit for CVE-2025-22441: Privilege escalation from installed app to SystemUI process on Android due to pa
ResourcePoison is a privilege escalation exploit for CVE-2025-22441 affecting Android, allowing an installed app to achieve code execution within the SystemUI process via untrusted ApplicationInfo passed through RemoteViews. The vulnerability stems from LoadedApk.checkAndUpdateApkPaths() accepting attacker-controlled ApplicationInfo objects from RemoteViews without validation, enabling resource replacement and arbitrary code loading through a race condition during WebView initialization. The exploit chains resource manipulation with WebView loading to achieve RCE in SystemUI, bypassing normal permission boundaries.
APT Meets GPT: Targeted Operations with Untamed LLMs
Volexity disclosed a sustained spear-phishing campaign by China-aligned APT UTA0388 (tracked as UNK_DropPitch by Proofpoint) running from June–September 2025, delivering the GOVERSHELL backdoor via DLL search-order hijacking. The threat actor evolved five distinct malware variants with progressively sophisticated C2 mechanisms (fake TLS → AES → HTTPS polling → WebSocket → beacon-style), and OpenAI confirmed UTA0388 leveraged ChatGPT for phishing content generation and malware development. The campaign employed rapport-building phishing, multi-language targeting, and cloud-hosted payload delivery across North America, Asia, and Europe.
How Your AI Chatbot Can Become a Backdoor
Trend Micro published a detailed attack chain demonstrating how LLM-powered chatbots can be weaponized as backdoors through a multi-stage exploitation sequence: initial information disclosure via error messages, indirect prompt injection via third-party data sources, system prompt leakage, excessive API permissions, command injection, and lateral movement into infrastructure. The research maps vulnerabilities to OWASP LLM Top 10 (LLM01, LLM02, LLM05, LLM06, LLM07, LLM08) and illustrates how seemingly minor AI security gaps chain into full infrastructure compromise.
A Cascade of Insecure Architectures: Axis Plugin Design Flaw Expose Select Autodesk Revit Users to Supply Chain Risk
Trend Micro discovered hardcoded Azure Storage Account credentials (SAS tokens and access keys) embedded in signed DLLs within Axis Communications' Autodesk Revit plugin, exposing MSI installers and RFA model files to unauthorized modification. Combined with multiple RCE vulnerabilities in Autodesk Revit's RFA file parser, attackers could have poisoned the storage account to deliver malicious installers or crafted model files, enabling mass supply-chain compromise of Axis customers. Axis patched the issue across multiple iterations (versions 25.3.710, 25.3.711, and final fix in 25.3.718), but initial patches used obfuscation and retained overly permissive credentials before implementing least-privilege SAS tokens.
CVE-2025-0603 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Callvision Healthcare Callvision Emergency Code allows SQL Injection, Blind SQL Injection. This issue affects Callvision Emergency Code: before V3.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 12th percentile
CVE-2025-60965 — Endruntechnologies Sonoma_d12_firmware: OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts. CVSSv3.1 9.1 (CRITICAL) · EPSS 74th percentile
CVE-2025-60964 — Endruntechnologies Sonoma_d12_firmware: OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts. CVSSv3.1 9.1 (CRITICAL) · EPSS 73th percentile
CVE-2025-60963 — Endruntechnologies Sonoma_d12_firmware: OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information. CVSSv3.1 8.2 (HIGH) · EPSS 64th percentile
CVE-2025-60962 — Endruntechnologies Sonoma_d12_firmware: OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information, and possibly other unspecified impacts. CVSSv3.1 8.2 (HIGH) · EPSS 59th percentile
CVE-2025-60960 — Endruntechnologies Sonoma_d12_firmware: OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information. CVSSv3.1 8.2 (HIGH) · EPSS 64th percentile
CVE-2025-60959 — Endruntechnologies Sonoma_d12_firmware: OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information. CVSSv3.1 8.2 (HIGH) · EPSS 59th percentile
CVE-2025-60957 — Endruntechnologies Sonoma_d12_firmware: OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information. CVSSv3.1 9.9 (CRITICAL) · EPSS 73th percentile
CVE-2025-60956 — Endruntechnologies Sonoma_d12_firmware: Cross Site Request Forgery (CSRF) vulnerability in EndRun Technologies Sonoma D12 Network Time Server
Cross Site Request Forgery (CSRF) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information. CVSSv3.1 8.0 (HIGH) · EPSS 11th percentile
CVE-2025-39946 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: tls: make sure to
In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data CVSSv3.1 9.8 (CRITICAL)
CVE-2025-9243 — Cost: The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status. CVSSv3.1 8.1 (HIGH)