IONIX THREAT CENTER

A buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) of Palo Alto Networks PAN-OS allows an unauthenticated, network-adjacent attacker to execute arbitrary code with root privileges by sending specially crafted packets. Affected versions include PAN-OS < 12.1.4-h5, < 11.2.4-h17, < 11.1.4-h33, and < 10.2.7-h34 on PA-Series and VM-Series firewalls with Captive Portal enabled. Cloud NGFW, Prisma Access, and Panorama are not affected. Palo Alto Networks has confirmed limited active exploitation in the wild targeting internet-exposed Authentication Portals, with exploit automation confirmed. Organizations should apply the relevant hotfix immediately and, as an interim measure, restrict access to the Authentication Portal from untrusted networks and the public internet.

• Palo Alto Networks Security Advisory: CVE-2026-0300
• Exploited in the Wild: Critical PAN-OS Buffer Overflow Grants Root Access to Palo Alto Firewalls

## Summary

**CVE-2026-7482** is a high/critical vulnerability in Ollama (model server) prior to **v0.17.1**. A crafted GGUF model file can trigger a **heap out-of-bounds read** in the GGUF model loader during quantization, allowing an attacker to read sensitive memory and exfiltrate it via the product’s model-push functionality.

## Affected software

* Ollama versions **prior to 0.17.1** (i.e., all releases before the fix in v0.17.1).

## Mitigation and recommendations

* **Immediate action:** upgrade Ollama to **v0.17.1** (or later) which contains the upstream fix.
* **Short-term mitigations if patching is delayed:**
* Restrict network access to Ollama management endpoints (bind to localhost, firewall rules, or use a reverse proxy with authentication and allowlisting).
* Do not expose Ollama’s API endpoints directly to the public Internet.
* Monitor outbound uploads from Ollama for suspicious pushes to unknown registries.

## IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• cve.org

A critical authentication bypass vulnerability (CVE-2026-4670) has been disclosed in Progress Software MOVEit Automation. An unauthenticated remote attacker can exploit this flaw entirely over the network — with no privileges and no user interaction required — to bypass authentication controls and gain unauthorized access to the platform.

MOVEit Automation is commonly deployed as an internet-facing file transfer automation server, making exposed instances high-value targets. All versions prior to 2025.0.9 (in the 2025.0.x line), prior to 2024.1.8 (in the 2024.x line), and all versions older than 2024.0.0 are affected. Organizations should patch to a fixed version immediately and review access logs for signs of unauthorized activity.

• MOVEit Automation Critical Security Alert Bulletin – April 2026 (CVE-2026-4670, CVE-2026-5174)

## Overview

**CVE-2026-41940** is a critical authentication bypass vulnerability affecting cPanel & WHM. The issue allows **unauthenticated remote attackers** to bypass the login flow and gain unauthorized access to the control panel.

### Vulnerability details

– **Type:** Authentication bypass (CWE-306)
– **Root cause:** A flaw in the login flow that permits authentication to be bypassed under certain conditions, enabling attackers to access cPanel/WHM functionality without valid credentials.
– **Exploitability:** Network-accessible; no privileges or user interaction required.

### Affected software / versions

According to the advisory data, affected versions include cPanel & WHM versions prior to the following builds (upgrade to these builds or later):

– 11.110.0.97
– 11.118.0.63
– 11.126.0.54
– 11.132.0.29
– 11.134.0.20
– 11.136.0.5

If your cPanel/WHM instances run versions older than the builds above, they are considered vulnerable.

### Severity & potential impact

– **Severity:** CRITICAL
– **CVSS 3.1 (per advisory):** 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Potential impacts of successful exploitation include:

– Unauthorized administrative access to cPanel and WHM management interfaces
– Full compromise of hosted accounts and management of hosted services
– Data exposure of hosted sites and customer information
– Lateral movement within hosting infrastructure and potential deployment of malicious content or backdoors

### Recommended actions / mitigations

– **Patch immediately:** Upgrade cPanel & WHM to the fixed builds listed above (or later) via the vendor release process.
– **Restrict access:** Where patching is delayed, restrict access to cPanel/WHM management ports (typically 2082/2083/2086/2087) to trusted IP ranges via firewall rules.
– **Rotate credentials:** Consider rotating administrative credentials and API keys used by affected systems after patching.
– **Audit & monitor:** Review authentication and access logs for suspicious login activity and signs of unauthorized changes. Check for web shells or unexpected cron jobs on hosted accounts.
– **Apply vendor guidance:** Follow any additional mitigation or detection guidance published by cPanel.

## IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• NIST NVD – CVE-2026-41940
• cPanel Security Update (vendor advisory)

## Summary

**CVE-2026-40976** is a critical security vulnerability in Spring Boot’s default security configuration. The issue occurs when the **Spring Actuator** is enabled but the **Health** endpoint (or certain management endpoint configurations) are not present; under these conditions the default security filter chain can be created without an authorization rule for Actuator endpoints. This can leave Actuator endpoints accessible without proper authentication or authorization.

### Affected software

– Spring Boot 4.x versions prior to the vendor fix (fixed in **Spring Boot 4.0.6**).
– Applications that enable Spring Actuator and rely on the default security configuration are at risk if they have the affected configuration (Actuator enabled but Health endpoint disabled or similarly unusual management endpoint settings).

### Technical details

– **Root cause:** When Actuator is present but the Health endpoint is not, the default security filter chain can be instantiated without registering the required authorization rule for Actuator endpoints.
– **Consequence:** Management/Actuator endpoints that are expected to be protected may be left unprotected, allowing unauthenticated remote access to operational endpoints (metrics, config endpoints, shutdown, etc.) depending on which Actuator endpoints are enabled.

### Severity and impact

– **Severity:** Critical (vendor advisory classifies this as CRITICAL).
– **Potential impact:** Unauthorized access to Actuator endpoints can lead to information disclosure (system metrics, configuration), operational disruption (exposed control endpoints), and increased attack surface for follow-on exploitation. The exact impact depends on which Actuator endpoints are enabled in a given application.

### Recommendations

– **Immediate action:** Upgrade Spring Boot to **4.0.6** or later where the issue is fixed.
– **Configuration hardening:** Until you can upgrade, restrict network access to management endpoints (firewall or network ACLs), explicitly configure security rules for Actuator endpoints, and avoid exposing Actuator to untrusted networks.
– **Verify:** Review applications that enabled Spring Actuator and confirm whether the Health endpoint or other management configuration could trigger the default filter-chain behavior; enforce explicit authorization rules for management endpoints in security configuration.

## IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• NVD (NIST)
• Spring Security Advisory
• Spring Boot 4.0.6 release

## Overview

**CVE-2026-33453** is a critical vulnerability in Apache Camel’s **camel-coap** component that allows an unauthenticated attacker to inject arbitrary Camel message headers via CoAP URI query parameters. When a vulnerable Camel route forwards such a crafted Exchange to a **header-sensitive producer** (for example, camel-exec, camel-sql, camel-bean, camel-file, or template components), the injected headers can alter producer behavior and lead to **remote code execution (RCE)**.

### Vulnerability details

– **Root cause:** The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. The component does not filter or restrict header names or prefixes (including internal Camel headers such as those prefixed with Camel*).
– **Exploit vector:** An unauthenticated attacker who can send a single CoAP UDP datagram to a Camel route consuming from coap:// can inject arbitrary Camel internal headers. For example, supplying CamelExecCommandExecutable and CamelExecCommandArgs headers can override the configured command for **camel-exec**, resulting in OS command execution as the Camel process user.
– **Protocol considerations:** CoAP (RFC 7252) is UDP-based, typically listens on port **5683**, and by default does not enforce authentication (DTLS is optional and often disabled). Because it’s UDP, many HTTP-layer WAF/IDS protections will not detect or block this traffic.

### Affected software versions

– Affected: Apache Camel versions listed by the vendor (see references). The vendor recommends upgrading to fixed releases.
– Vendor-recommended fixed versions: **upgrade to 4.18.1 or 4.19.0** (see Apache advisory for exact affected ranges and fixed releases).

### Severity

– **CVSS v3.1:** 10.0 (CRITICAL) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
– **Impact:** Remote, unauthenticated full confidentiality, integrity, and availability compromise; interactive RCE via returned CoAP payload is possible.

### Potential impact

– Full system compromise of hosts running vulnerable Camel routes (depending on process privileges).
– Data exfiltration, service disruption, lateral movement from compromised hosts.
– Interactive command execution is possible because producer output is returned in the CoAP response payload.

### Mitigation and recommendations

– **Immediate:** Apply the vendor-recommended updates — upgrade Apache Camel to the versions identified in the advisory (upgrade to **4.18.1** or **4.19.0** as noted by the vendor).
– **Short-term compensations if patching is delayed:**
– Restrict network access to CoAP endpoints (block or limit UDP/5683 to trusted hosts/networks).
– Enable DTLS for CoAP endpoints where feasible and enforce strong authentication.
– Disable or avoid using header-sensitive producers (like camel-exec) behind CoAP endpoints until patched, or ensure message headers cannot be controlled by external inputs.
– Implement network-level monitoring for unexpected CoAP traffic and anomalous process activity on Camel hosts.

## IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• NIST (NVD)
• oss-security disclosure (openwall)

CrowdStrike has disclosed a critical unauthenticated path traversal vulnerability (CVE-2026-40050) affecting self-hosted LogScale versions 1.224.0 through 1.235.0. The flaw resides in a specific cluster API endpoint that is externally reachable, allowing a remote, unauthenticated attacker to read arbitrary files from the server filesystem — requiring no privileges and no user interaction (CVSS AV:N/AC:L/PR:N/UI:N).
Next-Gen SIEM (SaaS) customers are not affected; CrowdStrike already deployed network-layer mitigations for its SaaS clusters on April 7, 2026. Self-hosted customers must upgrade immediately to a patched release: **1.228.2, 1.233.1, 1.234.1, or 1.235.1**.

• CrowdStrike Security Advisory

CVE-2026-40372 is a critical privilege escalation vulnerability (CWE-347: Improper Verification of Cryptographic Signature) affecting ASP.NET Core 10.0 prior to version 10.0.7. An unauthenticated remote attacker can exploit the flaw over the network with no user interaction, potentially bypassing authentication or authorization token validation on any exposed ASP.NET Core web service.

The vulnerability carries a CVSS vector of AV:N/AC:L/PR:N/UI:N, reflecting maximum network exploitability with no prerequisites. Although no public exploit code is currently known, the vulnerability is fully confirmed with an official fix available. Organizations running ASP.NET Core 10.0 should upgrade to version 10.0.7 or later immediately.

• Microsoft Security Response Center Advisory – CVE-2026-40372
• NVD – CVE-2026-40372

## Vercel Compromise

In April 2026, Vercel suffered a security breach originating from a compromised third-party AI tool whose Google Workspace OAuth app was part of a broader attack affecting hundreds of users across multiple organizations.

## Attack Implications

Attackers gained unauthorized access to a limited subset of customer data, including potential exposure of non-sensitive environment variables such as API keys, tokens, and database credentials, while environment variables explicitly marked as “sensitive” in Vercel remained protected.

## Vercel Operational Status

Vercel’s services stayed operational throughout the incident, and the company engaged incident response experts and notified law enforcement. Vercel customers are advised to review their account activity logs, rotate any exposed environment variables, and audit their Google Workspace for the malicious OAuth app (`110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com`).

The IONIX research team is tracking the situation and update on any developments.

• Vercel Security Advisory

CVE-2026-22679 is a critical unauthenticated remote code execution vulnerability affecting Weaver (Fanwei) E-cology 10.0 versions prior to 20260312. The flaw exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where exposed debug functionality can be invoked via crafted POST requests supplying attacker-controlled interfaceName and methodName parameters. Successful exploitation allows attackers to reach command-execution helpers and execute arbitrary system commands, leading to full confidentiality, integrity, and availability compromise. The issue is tracked as CWE-306 (missing authentication) and has a CVSSv3.1 base score of 9.8 (Critical). Public evidence of exploitation was first observed by Shadowserver on 2026-03-31 (UTC).

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-22679 at NIST
• Weaver (Fanwei) Security Downloads / Advisories

A critical vulnerability, CVE-2026-35030, affects LiteLLM (an AI gateway/proxy for calling LLM APIs). Prior to version 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses the first 20 characters of the token (token[:20]) as the cache key. JWT headers produced by the same signing algorithm can produce identical first 20 characters, allowing an unauthenticated attacker to craft a token whose first 20 characters match a legitimate user’s cached token. On a cache hit the attacker inherits the legitimate user’s identity and permissions. This configuration option is not enabled by default, so most instances are not affected; however deployments that do enable JWT/OIDC authentication are vulnerable. The issue is fixed in v1.83.0 and is assigned a CVSS 4.0 base score of 9.4 (CRITICAL) per the published advisory.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-35030 at NIST
• LiteLLM GitHub Security Advisory

A critical authentication bypass vulnerability, CVE-2026-20093, affects Cisco Integrated Management Controller (IMC). According to the NIST/Cisco advisory, the issue is caused by incorrect handling of password change requests in the change-password functionality. An unauthenticated, remote attacker could send a specially crafted HTTP request to an affected IMC device to bypass authentication, alter passwords for any user (including Admin), and gain administrative access. The vulnerability is rated CVSS 3.1 9.8 (CRITICAL) and can result in full confidentiality, integrity, and availability compromise of the affected system.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-20093 at NIST
• Cisco Security Advisory

A critical remote code execution vulnerability (CVE-2025-53521; CVSS 3.1 score 9.8) affects F5 BIG‑IP when an Access Policy Manager (APM) access policy is configured on a virtual server. Crafted malicious traffic can lead to unauthenticated remote code execution, enabling full system compromise of affected appliances. NIST and vendor records indicate the issue impacts multiple BIG‑IP modules across the 15.1.x, 16.1.x and 17.x branches (see vendor advisory for exact version ranges and module details).

Although this CVE was originally disclosed in October 2025 as a lower-severity denial-of-service issue, F5 reclassified it as a critical RCE vulnerability in March 2026 following new findings — significantly raising its risk profile. CISA has since added it to its Known Exploited Vulnerabilities catalog and active in-the-wild exploitation has been confirmed, underscoring the urgency of immediate remediation.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching.

• NVD (likely intended CVE – CVE-2025-53521)
• F5 Knowledge Base (K000156741)
• CISA Known Exploited Vulnerabilities Catalog (search for CVE-2025-53521)

A critical vulnerability, CVE-2026-33017, has been identified in Langflow versions prior to 1.9.0. The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, intended to allow building public flows without authentication, improperly accepts an optional data parameter containing attacker-controlled flow definitions. When supplied, the endpoint uses the provided flow data (which can include arbitrary Python code in node definitions) instead of the stored database flow and passes that code to exec() with no sandboxing, enabling unauthenticated remote code execution. The issue carries a CVSS v4.0 base score of 9.3 and has been fixed in Langflow 1.9.0.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-33017 at NIST
• Langflow GitHub Security Advisory (fix)

A critical vulnerability, CVE-2026-23813, affects the web-based management interface of HPE Aruba Networking AOS-CX switches. According to the NIST description and HPE advisory, an unauthenticated remote actor can circumvent authentication controls in the web management UI; in some cases this may allow the attacker to reset the administrative password. The issue is rated CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and poses a high risk of administrative takeover, unauthorized configuration changes, and full device compromise. Administrators should consult the vendor advisory for the exact list of affected AOS-CX firmware/software versions and available patches or mitigations.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-23813 at NIST
• HPE Advisory (HPESBNW05027)
• SecurityAffairs coverage

CVE-2026-27944 is a critical information disclosure vulnerability in Nginx UI (the web user interface for managing Nginx). Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and returns an encryption key in the X-Backup-Security response header. An unauthenticated attacker can download a full system backup (which may include user credentials, session tokens, SSL private keys, and Nginx configuration files) and immediately decrypt it using the disclosed key. The issue has a CVSSv3.1 base score of 9.8 (Critical) and is fixed in Nginx UI 2.3.3.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-27944 at NIST
• Nginx UI / GitHub Security Advisory

Critical vulnerabilities (CVE-2026-20079 + CVE-2026-20131) exists in the web interface of Cisco Secure Firewall Management Center (FMC) Software that could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device, potentially obtaining root access to the underlying operating system. The issue is caused by an improper system process created at boot time; an attacker can exploit it by sending crafted HTTP requests to an affected FMC instance. Cisco’s published metrics assign a CVSSv3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity. Successful exploitation can allow full system compromise, execution of arbitrary scripts and commands as root, and complete loss of confidentiality, integrity, and availability of the appliance.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-20079 at NIST
• Cisco Security Advisory

A critical authentication bypass vulnerability, CVE-2026-2628, has been identified in the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login WordPress plugin (also known as Login with Azure). According to the NVD entry, all plugin versions up to and including 2.2.5 are vulnerable. An unauthenticated attacker can bypass authentication and log in as arbitrary users, including administrators. The issue is rated CRITICAL (CVSS 3.1 base score 9.8) and can lead to full site takeover, data exposure, and further lateral movement within an affected environment if exploited.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• NVD (CVE-2026-2628)
• Wordfence Threat Intelligence Advisory
• Official WordPress Plugin Page (Login with Azure)

A critical authentication bypass vulnerability, CVE-2026-20127, affects the peering authentication mechanism in Cisco Catalyst SD-WAN Controller (formerly SD‑WAN vSmart) and Cisco Catalyst SD‑WAN Manager (formerly SD‑WAN vManage). The flaw allows an unauthenticated remote attacker to send crafted requests that bypass peering authentication and obtain an internal, high-privileged non-root administrative account.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-20127 at NIST
• Cisco Security Advisory
• CISA Known Exploited Vulnerabilities Catalog

CVE-2026-1731 is a critical vulnerability, which affects BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA).

The flaw is a pre‑authentication remote code execution stemming from improper handling of specially crafted requests allowing an unauthenticated remote attacker to execute operating system commands in the context of the site user. Users are advised to update their appliances to the latest version.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-1731 at NIST
• BeyondTrust Security Advisory (BT26-02)

CVE-2026-1499 is a critical vulnerability (CVSS 3.1 base score 9.8) affecting the WP Duplicate WordPress plugin in all versions up to and including 1.1.8. The flaw is a missing authorization (capability) check on the process_add_site() AJAX action combined with a path traversal issue in the file upload functionality. An authenticated low-privileged user (subscriber-level) can set an internal option (prod_key_random_id) that enables an unauthenticated attacker to bypass authentication checks and invoke handle_upload_single_big_file() to write arbitrary files to the server. Successful exploitation can lead to remote code execution, full site compromise, deployment of web shells, data theft, and lateral movement within hosting environments.

• CVE-2026-1499 at NIST

CVE-2026-1056, a critical vulnerability, affects the Snow Monkey Forms plugin for WordPress in all versions up to and including 12.0.3. The vulnerability allows unauthenticated attackers to delete arbitrary files on the server. Successful exploitation can remove critical site files (for example wp-config.php), leading to remote code execution, data loss, and full site compromise.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-1056 at NIST
• Wordfence vulnerability report

A critical code-injection vulnerability, CVE-2026-1281, affects Ivanti Endpoint Manager Mobile (EPMM) (formerly MobileIron). According to public advisories and the U.S. CISA Known Exploited Vulnerabilities catalog, the flaw allows an unauthenticated attacker to inject code that can lead to remote code execution on vulnerable EPMM deployments. Ivanti has published security updates and RPM fixes to address the issue; CISA has added the CVE to its KEV catalog, indicating active exploitation risk and elevated urgency for remediation.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-1281 at NIST
• Ivanti Security Advisory (EPMM)

A critical authentication bypass vulnerability, CVE-2026-24858, affects multiple Fortinet products (FortiOS, FortiManager, FortiAnalyzer and FortiProxy) when the FortiCloud single sign-on (SSO) login feature is enabled. The flaw is an Authentication Bypass that can allow an attacker who controls a FortiCloud account and a registered device to log into other devices registered to different accounts. Fortinet has reported active exploitation in the wild; observed malicious activity has included creation of local admin accounts, persistent configuration changes (including enabling VPN access), and exfiltration of device configuration data. Fortinet issued mitigations (including temporarily blocking FortiCloud SSO connections) and published PSIRT guidance and patches to address the issue.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• NVD – CVE-2026-24858
• Fortinet PSIRT (FG-IR-26-060) Advisory

A critical vulnerability, CVE-2026-24061, affects the telnetd daemon in GNU Inetutils (vulnerable versions: since 1.9.3 up to and including 2.7). The flaw allows remote authentication bypass via a “-f root” value for the USER environment variable, permitting an unauthenticated attacker to influence how telnetd interprets the USER value and bypass normal authentication checks. Successful exploitation can result in unauthorized remote access and potential full system compromise on hosts running the vulnerable telnetd service. Upstream patches have been published to correct the unsafe handling of USER values; administrators should remove or patch telnetd where possible and restrict access to the telnet port until mitigations are applied.

IONIX research team developed a simulation to validate exposure to CVE-2026-24061. Confirmed findings are listed in this post.

• CVE-2026-24061 at NIST
• GNU Inetutils Security Advisory (oss-sec / seclists.org)

A critical vulnerability, CVE-2026-21962, has been identified in Oracle Fusion Middleware components including Oracle HTTP Server and the WebLogic Server Proxy Plug-in for Apache and IIS. The issue is an authentication bypass that can be exploited remotely without user interaction, allowing an unauthenticated attacker to bypass access controls and cause significant confidentiality and integrity impact. Published advisories list the WebLogic Server Proxy Plug-in for IIS 12.2.1.4.0 as affected; Oracle included fixes for this and related issues in its January 2026 Critical Patch Update. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) per published details.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2026-21962 at NIST (NVD)
• Oracle Critical Patch Update – January 2026
• GitHub Advisory (GHSA-4wp9-cf5h-v2g5)

A critical vulnerability, CVE-2026-21858 (nicknamed “Ni8mare”), affects the n8n workflow automation platform. The flaw stems from improper webhook/form-data request handling in n8n’s file processing path: a file handling function can be invoked without correctly verifying the Content-Type, enabling an unauthenticated remote attacker to manipulate req.body.files or submit specially crafted requests that expose arbitrary files and sensitive data.

This can lead to secret exfiltration, forged administrative access and in chained scenarios, remote code execution and full server compromise. Affected users are recommended to upgrade to the version 1.121.0 and later.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• n8n GitHub Security Advisory (GHSA-v4pr-fm98-w9pg)
• Cyera Research Labs – Ni8mare (CVE-2026-21858)

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process, potentially leading to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system‑level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0.
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE‑2025‑68613 at NIST

An Improper Verification of Cryptographic Signature vulnerability in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device.

A partial list of potentially affected Fortinet-related assets is outlined in this post.

• CVE-2025-59719 at FortiGuard
• NIST

A critical security vulnerability (CVE-2025-55182) was disclosed in React Server Components in December 2025, impacting React Server DOM packages used for Server Components and Server Functions in React 19 (versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0). The issue enables unauthenticated remote code execution via crafted requests due to unsafe payload deserialization, and was patched in React releases 19.0.1, 19.1.2, and 19.2.1. Frameworks implementing React Server Components inherit the vulnerability, including Next.js versions using the App Router and Server Actions; affected Next.js versions include 15.x, 16.x, and canary builds starting from 14.3.0-canary.77, with fixes available in Next.js 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, and 16.0.7 or later.
UPDATE: The IONIX research team developed a simulation to validate exposure to CVE-2025-55182 and the related Next.js advisory CVE-2025-66478. Confirmed findings are listed in this post.

• NIST NVD
• CVE-2025-55182 at cve.org
• React Advisory
• NextJS Advisory

An Unauthenticated Remote Code Execution vulnerability in the Identity Manager product of Oracle Fusion Middleware in versions 12.2.1.4.0 and 14.1.2.1.0. Allows unauthenticated attackers with network access via HTTP to compromise Identity Manager. Successful exploitation of this vulnerability can result in takeover of the Identity Manager instance.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. A partial list of potentially affected assets is outlined in this post.

• CVE‑2025‑61757 at NIST
• Oracle Critical Patch Update October 2025 Advisory

A critical path-traversal vulnerability, CVE-2025-64446, has been reported in Fortinet FortiWeb web application firewall (WAF) appliances. The flaw resides in the GUI component and can be triggered via crafted HTTP(S) requests that cause path confusion or directory traversal, enabling unauthenticated attackers to execute administrative commands or create unauthorized administrative accounts on affected devices. Public reporting and independent researchers confirmed successful exploitation against FortiWeb 8.0.1 (the issue was addressed in FortiWeb 8.0.2); multiple 7.x and 8.x builds were indicated as impacted in vendor release notes and community advisories. Evidence of active exploitation in the wild has been published by several security outlets and the issue has been prioritized for rapid remediation by US authorities.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-64446 at NIST
• FortiGuard PSIRT

CVE-2025-12480 is an improper access control vulnerability in Gladinet’s Triofox file-sharing and remote-access platform. The flaw allows unauthenticated remote actors to access application configuration/setup pages that should be protected, which can be leveraged to create administrative accounts, manipulate configuration (including the built-in anti-virus handling), upload malicious files, and ultimately execute arbitrary code on affected systems. The issue affects Triofox builds prior to the patched release (mitigated in 16.7.10368.56560); public reporting and threat intelligence indicate a high severity rating and active exploitation in the wild by threat actors.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Affected assets are outlined in this post.

• NIST
• Google Threat Intelligence

A critical remote code execution vulnerability (CVE-2025-59287) affects Microsoft Windows Server Update Services (WSUS). The flaw arises from deserialization of untrusted data, allowing an unauthenticated attacker with network access to send crafted serialized payloads and execute arbitrary code with SYSTEM privileges.
Microsoft rated the issue Critical (CVSS 9.8) and released out-of-band security updates on October 24, 2025, covering all supported Windows Server versions. Systems without the WSUS Server Role enabled are not affected. If patching is delayed, administrators can temporarily disable the WSUS role or block inbound traffic on ports 8530/8531 until updates are applied.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. A partial list of potentially affected assets is listed.

• NIST NVD (CVE-2025-59287)
• Microsoft Security Update Guide – CVE-2025-59287

CVE-2025-53072 & CVE-2025-62481 Vulnerabilities in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.2.3 – 12.2.14. Easily exploitable vulnerabilities allow an unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of these vulnerabilities can result in takeover of Oracle Marketing.
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. A list of potentially affected assets is outlined in this post.

• CVE-2025-53072 at NIST
• CVE-2025-62481 at NIST
• Oracle Critical Patch Update Advisory

A large-scale breach of F5 Networks was disclosed after the company discovered long‑term, persistent access by a highly capable nation‑state actor to certain product development and engineering systems. The intruders exfiltrated portions of BIG‑IP source code and undisclosed vulnerability/bug information. Customers are highly recommended to apply the latest patches to F5 appliances. The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. A partial list of potentially affected assets is outlined in this post.

• F5 Vendor Advisory

A critical vulnerability, CVE-2025-49844 (dubbed “RediShell”), exists in Redis’s Lua scripting subsystem. The flaw is a use‑after‑free vulnerability in the embedded Lua interpreter that can allow an attacker who can execute Lua scripts (for example, via EVAL or modules) to escape the Lua sandbox and achieve arbitrary code execution on the underlying host. The issue traces back to code added in 2012 and affects Redis releases that include Lua scripting support; Redis published patches (6.2.20, 7.2.11, 7.4.6, 8.0.4 and 8.2.2) on October 3, 2025. The vulnerability is rated critical (CVSS 9.9) because successful exploitation can lead to full system compromise and persistence on affected hosts.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-49844 at NIST
• Redis Security Advisory (RediShell)
• Wiz research analysis

CVE-2025-61882 is a remote code execution vulnerability affecting the Oracle E-Business Suite. Oracle’s vendor advisory indicates the issue is remotely exploitable without authentication, meaning an attacker can target vulnerable E-Business Suite deployments over the network without valid credentials. Successful exploitation may allow RCE on the affected instance.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-61882 at NIST
• Oracle Vendor Advisory

CVE‑2025‑20333 is a vulnerability in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software allows an authenticated, remote attacker to execute arbitrary code on an affected device. The flaw results from improper validation of user-supplied input in HTTP(S) requests. With valid VPN credentials, an attacker can send crafted requests to the device and, upon successful exploitation, achieve root-level code execution — potentially leading to full device compromise.

CVE-2025-20362 is a medium-severity flaw in Cisco ASA and FTD VPN web servers that lets unauthenticated attackers access restricted URLs without authentication. With no workarounds available and exploitation attempts already observed, Cisco strongly recommends upgrading to a fixed release.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-20333 at NIST
• CVE-2025-20362 at NIST
• Cisco security advisory

A critical vulnerability, CVE-2025-10035, has been reported in Fortra’s GoAnywhere Managed File Transfer (MFT) platform. The issue is a deserialization flaw in the License Servlet component that can be triggered by a forged license response signature; when exploited it allows attacker-controlled objects to be deserialized, potentially leading to command injection and full system compromise. The vulnerability has been assigned a maximum CVSSv3.1 score of 10.0. Administrators should consult the vendor advisory for exact affected versions and the vendor-supplied fixes or mitigations and apply them immediately.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-10035 at NIST
• Fortra Security Advisory FI-2025-012
• Coverage — The Register

CVE-2025-58434 is a critical authentication/authorization vulnerability affecting Flowise (Cloud and self-hosted) versions 3.0.5 and earlier. The application’s forgot-password endpoint returns a valid password reset temporary token (tempToken) in the API response without requiring proper authentication or verification, allowing any remote attacker to generate or obtain reset tokens for arbitrary users and immediately reset their passwords. Successful exploitation can lead to full account takeover, unauthorized access to saved flows and data, and potential lateral movement or persistence within impacted deployments.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE at NIST
• Flowise GitHub Advisory

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application’s confidentiality, integrity, and availability.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-42944 at NIST
• SAP Security Note

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This issue also affects any token with “project get” permissions, including global roles such as p, role/user, projects, get, *, allow. Fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. A partial list of potentially affected assets is listed in this post.

• CVE-2025-55190 at NIST
• Argo CD Security Advisory

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching.

• NVD
• GitHub Security Advisory
• FreePBX Community Advisory

A memory overflow vulnerability in NetScaler ADC and NetScaler Gateway may allow Remote Code Execution or Denial of Service when configured as Gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It also affects LB virtual servers of type HTTP, SSL, or HTTP_QUIC bound to IPv6 services or service groups.
It affects versions 13.1 before 13.1-59.22, 14.1 before 14.1-47.48, 13.1-FIPS and NDcPP before 13.1-37.241, and 12.1-FIPS and NDcPP before 12.1-55.330.
Exploits of CVE-2025-7775 on unmitigated appliances have been observed in the wild.
The IONIX research team is tracking ongoing exploitation attempts and recommends follow the vendor security bulletin. Potentially affected assets are outlined in this post.

• CVE-2025-7775 at Nist
• Citrix Security Bulletin

A critical vulnerability, CVE-2025-57791, has been identified in Commvault Backup and Replication software prior to version 11.36.60. Due to command-line argument injection being passed to authentication components without sufficient sanitization, it is possible to bypass authentication and gain administrative privileges. Exploitation of this vulnerability can lead to remote code execution (RCE) via CVE-2025-57790, which is a post-authentication RCE.

• Vendor Advisory
• NIST Advisory

A critical vulnerability, CVE-2025-57789, has been identified in Commvault Backup and Replication software prior to version 11.36.60. During the short window between installation and the first administrator login, remote attackers may exploit the default credential to gain administrative control. This issue is limited to the setup phase, before any jobs have been configured. Exploitation of this vulnerability can lead to remote code execution (RCE) via CVE-2025-57790, which is a post-authentication RCE.

• Vendor Advisory
• NIST Advisory

A critical vulnerability, CVE-2025-25256, has been identified in FortiSIEM, where an OS command injection flaw allows attackers to execute arbitrary system commands remotely. The flaw arises from insufficient input sanitization in command processing, which can lead to full system compromise and unauthorized access when exploited.
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching according to the advisory. Potentially affected assets are detailed in this post.

• CVE-2025-25256 at NIST
• Fortinet Advisory

A critical vulnerability CVE-2025-54253 has been identified in Adobe Experience Manager (AEM) Forms, in versions 6.5.23 and earlier, where a misconfiguration allows attackers to remotely execute arbitrary code on the impacted server. Exploitation of this flaw can lead to unauthorized access and compromise of sensitive customer data, posing significant risks to confidentiality and system integrity. Organizations using AEM Forms are strongly advised to review their current deployment and apply the necessary patches to mitigate this risk.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Affected assets are outlined in this post.

• CVE-2025-54253 At NIST
• Adobe Vendor Advisory

A critical vulnerability, CVE-2025-53770, affects on-premises deployments of Microsoft SharePoint Server. The flaw stems from insecure deserialization of untrusted data, allowing unauthorized attackers to remotely execute arbitrary code over the network. Microsoft has confirmed that this vulnerability is actively being exploited in the wild. While a comprehensive security update is undergoing testing, Microsoft has issued interim mitigation guidance to reduce exposure. IONIX urges organizations to apply these mitigations immediately to protect vulnerable SharePoint instances from exploitation. Update (July 22nd): the IONIX research team developed an exploit simulation for relevant assets to verify whether the vulnerability can be exploited on those assets and assess potential exposure. The findings are detailed in this post.

• CVE-2025-53770 at NIST
• Microsoft Security Advisory

An improper neutralization of special elements used in an SQL command in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. The vulnerability can be further escalated to a Remote Code Execution. The IONIX research team validated the impact through successful exploit reproduction, as detailed in this advisory.

• Mitre
• Vendor Advisory

A critical vulnerability, CVE-2025-5777, has been identified in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The flaw is a memory over-read caused by insufficient input validation, which can allow unauthenticated attackers to extract valid session tokens from memory. It affects multiple versions prior to 14.1-43.56 and 13.1-58.32. Update from July7: The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. Potentially exposed assets are outlined in this post.

• CVE-2025-5777 at Nist
• Citrix Security Bulletin

A critical vulnerability, CVE-2025-6543, has been identified in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This vulnerability is a memory overflow that may lead to unintended control flow and denial of service (DoS). It affects multiple versions prior to 14.1-47.46 and 13.1-59.19. Public exploitation has been observed, with reports indicating active targeting in the wild. The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially exposed assets are outlined in this post.

• CVE-2025-6543 at Nist
• Citrix Security Bulletin

A critical vulnerability, CVE-2025-30220, has been identified in GeoServer’s Web Feature Service (WFS), impacting versions 2.27.0, 2.26.0 through 2.26.2, and all versions up to 2.25.6. The flaw originates from the underlying GeoTools library (gt-xsd-core), which mishandles XML parsing by bypassing the intended AllowListEntityResolver. This allows unauthenticated attackers to submit specially crafted XML payloads containing external entity definitions, leading to XML External Entity (XXE) injection. The vulnerability enables remote, unauthenticated exploitation that compromises confidentiality and internal network isolation. The issue also affects dependent systems such as GeoNetwork and the GeoTools WFS-NG datastore. Patched versions have been released for GeoServer (2.27.1, 2.26.3, 2.25.7), GeoTools (33.1, 32.3, 31.7, 28.6.1), and GeoNetwork (4.4.8, 4.2.13). The IONIX research team confirmed the vulnerability and validated the risk through successful exploit reproduction, as detailed in this advisory.

• CVE-2025-30220 at NIST

A critical vulnerability, CVE-2025-4009, has been identified in Evertz SDVN 3080ipx-10G and other devices leveraging the webEASY (ewb) management interface. This flaw affects all current versions and arises from a combination of an authentication bypass and unauthenticated command injection in administrative endpoints. By crafting a specially encoded JSON token, attackers can gain unauthorized administrative access. Leveraging this access, they can exploit the feature-transfer-import.php and feature-transfer-export.php endpoints to inject arbitrary system commands. This vulnerability enables unauthenticated remote code execution (RCE) as root on affected devices, potentially allowing full system takeover, disruption of broadcast workflows, and lateral movement within media infrastructure networks. The IONIX research team validated the impact through successful exploit reproduction, as detailed in this advisory.

• CVE-2025-4009 at NIST

A critical vulnerability, CVE-2025-34027, has been identified in the Versa Concerto SD-WAN orchestration platform, affecting versions 12.1.2 through 12.2.0. This flaw results from a misconfiguration in the Traefik reverse proxy that enables authentication bypass, granting unauthorized access to administrative endpoints. Exploiting the vulnerable Spack upload endpoint, attackers can leverage a Time-of-Check to Time-of-Use (TOCTOU) race condition to manipulate file paths during load operations. This enables unauthenticated remote code execution (RCE) on the underlying system. The IONIX research team confirmed the impact through controlled exploit validation, as detailed in this post.

• CVE-2025-34027 at NIST

A critical remote code execution (RCE) chain, involving CVE-2025-4427 and CVE-2025-4428, has been identified in Ivanti Endpoint Manager Mobile (EPMM) versions up to 12.5.0.0. CVE-2025-4427 allows unauthenticated attackers to bypass authentication controls via the API component, granting access to otherwise protected resources. Chaining this with CVE-2025-4428, attackers with API access can craft malicious requests to execute arbitrary code on the underlying system. The exploitation of this pre-auth RCE chain poses a severe risk of full system compromise. Ivanti has released security updates to address both flaws, and immediate patching is strongly recommended. The IONIX research team successfully validated the attack vector in a controlled environment, as detailed in this post.

• CVE-2025-4427 at NIST
• CVE-2025-4428 at NIST
• Ivanti EPMM Security Advisory

A critical vulnerability, CVE-2025-2775, has been identified in SysAid On-Prem versions ≤ 23.3.40, exposing the platform to an unauthenticated XML External Entity (XXE) injection flaw within the Checkin processing functionality. This vulnerability allows remote attackers to exploit XML parsing behavior to read arbitrary files from the server or gain access to sensitive information, including administrator credentials. Successful exploitation can lead to full administrative account takeover and further system compromise. SysAid has released a security advisory urging immediate patching. The IONIX research team verified the vulnerability’s impact through exploit simulation, detailed in this post.

• CVE-2025-2775 at NIST
• Vendor advisory
• IONIX Blog

A critical vulnerability, CVE-2025-31324, has been identified in SAP NetWeaver Visual Composer, allowing unauthenticated remote code execution via the Metadata Uploader component. This flaw arises from improper authentication checks, enabling attackers to send crafted HTTP/HTTPS requests to upload malicious binaries. Successful exploitation can result in complete system compromise. The issue affects all SAP NetWeaver 7.xx versions. Users are strongly advised to apply the emergency patch released by SAP. The IONIX research team verified the vulnerability’s impact through exploit simulation, detailed in this post.

• Nist – CVE-2024-28995
• IONIX – Exploited! SAP NetWeaver Visual Composer Unauthenticated File-Upload Vulnerability
• The Hacker News – New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell Brute Ratel Framework

A critical vulnerability, CVE-2025-32433, has been discovered in the SSH server implementation within Erlang/OTP, allowing unauthenticated remote code execution through malformed SSH messages. This flaw arises from improper handling of protocol messages before authentication is completed, enabling attackers to send crafted payloads that the server processes unsafely. If the SSH daemon is running with elevated privileges, successful exploitation can result in complete system compromise. The issue affects multiple Erlang/OTP branches, including versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. In environments where immediate patching is not feasible, administrators should consider disabling SSH temporarily or applying strict network access controls. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post.

• CVE-2025-32433 at NIST
• Erlang Security Advisories
• IONIX Blog

A critical vulnerability, CVE-2025-2825, has been identified in CrushFTP. This vulnerability allows remote unauthenticated access via specially crafted HTTP(S) requests, bypassing authentication checks through a flaw in the loginCheckHeaderAuth() method. It affects instances with S3-compatible API access enabled and can be exploited with knowledge of a valid username. This issue has been patched in CrushFTP 11.3.1, and users are strongly advised to upgrade. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post.

• CVE-2025-2825 at NIST
• The Hacker News

A critical authentication bypass vulnerability has been identified in Kentico Xperience CMS versions prior to 13.0.173. The vulnerability stems from an issue in the staging endpoint /CMSPages/Staging/SyncServer.asmx that allows attackers to forge requests and bypass authorization controls.
This vulnerability can be exploited to gain full control over affected Xperience instances, specifically those with staging enabled and configured to use username and password authentication. Instances using X.509 certificate-based authentication are not affected. The findings are detailed in this post. Kentico has released a hotfix addressing this vulnerability.

• CVE-2025-2746 at NIST
• Cyber Security News Kentico Xperience CMS
• Kentico Hotfix 13.0.173

A series of critical vulnerabilities (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098 and CVE-2025-24514) have been identified in the Ingress NGINX Controller for Kubernetes. These vulnerabilities allow unauthenticated remote code execution (RCE) via crafted requests to the Validating Admission Controller and admission controller components of ingress-nginx. Exploitation of these vulnerabilities can lead to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster, potentially resulting in a complete cluster takeover. These issues have been patched in Ingress NGINX versions 1.12.1 and 1.11.5, users are strongly advised to upgrade. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure.

• CVE-2025-1974 at NIST
• CVE-2025-1097 at NIST
• CVE-2025-1098 at NIST
• CVE-2025-24514 at NIST
• Wiz Research Team

A critical vulnerability, CVE-2025-24893, has been identified in XWiki Platform. This vulnerability allows unauthenticated remote code execution (RCE) via crafted requests to the SolrSearch endpoint, embedding Groovy script execution within the search query parameters. It impacts the confidentiality, integrity, and availability. This issue has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1, and users are strongly advised to upgrade. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post.

• CVE-2025-24893 at NIST
• Vendor advisory

A critical Authentication Bypass vulnerability has been identified in FortiOS and FortiProxy, allowing remote attackers to gain super-admin privileges via crafted requests to the Node.js WebSocket module. Affected versions include FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Reports indicate that this vulnerability is being actively exploited in the wild.
Indicators of compromise include the creation of suspicious new admin users with six-character random strings (e.g., Gujhmk, Ypda8a). Additionally, attackers have been observed using the following IPs: 45.55.158.47, 87.249.138.47, 155.133.4.175, 37.19.196.65, and 149.22.94.37.
The IONIX research team is actively monitoring the situation and will provide updates if a public exploit becomes available. Meanwhile, the list of potentially impacted assets can be found in this post. For detailed guidance, refer to Fortinet’s Upgrade Tool and follow the provided workaround instructions.

• CVE-2024-55591 at Nist
• Fortiguard Advisory
• Fortinet's Upgrade Tool

A critical vulnerability, CVE-2024-50603, has been identified in Aviatrix Controller versions prior to 7.1.4191 and 7.2.x versions prior to 7.2.4996. This vulnerability stems from the improper neutralization of special elements used in OS commands, allowing an unauthenticated attacker to execute arbitrary code. Exploitation is possible by sending shell metacharacters to the /v1/api endpoint in the cloud_type parameter for list_flightpath_destination_instances or the src_cloud_type parameter for flightpath_connection_test. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post

• Vendor release notices
• NIST NVD Entry

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

• Vendor advisory
• NIST NVD Entry

The Mitel Collab Arbitrary File Read Vulnerability, combining CVE-2024-41713 and another yet-to-be-assigned issue, allows unauthenticated attackers to remotely and easily exploit the system to read arbitrary files from the underlying file system of a Mitel Collab server. By sending specially crafted requests, attackers can bypass access controls and retrieve sensitive files due to improper input validation and directory traversal flaws. To mitigate this vulnerability, follow the vendor advisory for CVE-2024-41713, ensuring the application properly validates and sanitizes user input to prevent directory traversal attacks.

• Mitel MiCollab zero-day flaw gets proof-of-concept exploit
• Mitel MiCollab zero-day and PoC exploit unveiled
• Mitel Product Security Advisory for CVE-2024-41713

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines (see references) This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

• CVE-2024-0012 at NIST
• Vendor advisory
• Vendor best practice
• CVE-2024-0012 at CISA

The Really Simple Security (Free, Pro, and Pro Multisite) plugin for WordPress is vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1 when the “Two-Factor Authentication” setting is enabled.
This is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator.

• CVE-2024-10924 at NIST
• Security plugin flaw in millions of WordPress sites gives admin access

Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

The vulnerability is extremely easy to exploit and is marked by CISA as exploitable.

• Vendor advisory
• CISA: Ivanti Releases Admin Bypass Security Update for Cloud Services Appliance

CyberPanel is a free and open-source control panel for Linux servers, designed to simplify web hosting and server management tasks.
A recent vulnerability was discovered in CyberPanel, allowing an easy remote code execution on the affected machines.

The vulnerability is known to be exploited in the wild and an exploit is publicly available.

We recommend to upgrade to the latest version available and follow the referenced vendor’s advisory (Github patch is referenced).

• Details and fix of recent security issue and patch of CyberPanel
• What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE
• Github patch

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.

Cisa marked this vulnerability as exploited.

• Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)
• CISA Adds One Known Exploited Vulnerability to Catalog

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

CISA marked this vulnerability as known exploited.

As of now, IONIX marked assets as potentially affected, if they are known to be running FortiOS, or a technology that implies FortiOS with high probability.

• Vendor advisory: Format String Bug in fgfmd
• CISA Adds Three Known Exploited Vulnerabilities to Catalog
• CISA says critical Fortinet RCE flaw now exploited in attacks

CUPS (Common UNIX Printing System) is a standards-based, open-source printing system. Recent several vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) were discovered and are potentially allowing hackers to remotely run code on machines that expose the service over UDP (usually, on port 631).

It is recommended to block ports for UDP. It is a good practice to avoid open IPP services also over UDP.

As checking for affected UDP open services triggers a connection from the vulnerable machine to the attacking system, and relying on the fact that most of the detected vulnerable systems over UDP had open IPP service over TCP on the same port, IONIX marks assets as potentially affected based on services with open IPP ports (TCP). Notice, that having IPP service publicly open is also not a good practice, and we recommend to close it as well.

• Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution
• CUPS flaws enable Linux remote code execution but there’s a catch
• Critical CUPS Vulnerabilities Expose Linux and Other Systems to Remote Attacks

The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.

• Nist – CVE-2024-8752

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records.

• CVE-2024-8503 at NIST

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

• CVE-2024-40711 at NIST
• Veeam Security Bulletin September 2024

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

• CVE-2024-6670 at NIST
• WhatsUp Gold Security Bulletin August 2024

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

• CVE-2024-7593 at NIST
• Security Advisory for CVE-2024-7593

The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.

• CVE-2024-6205 at NIST

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions.

• National Vulnerability Database: CVE-2024-36401

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

• National Vulnerability Database: CVE-2024-5217
• Servicenow support

The Polyfill.io service uses JavaScript code to add modern functionality to older browsers that do not usually support it. For example, it adds JavaScript functions that are not available for older browsers but are present in modern ones.

Sansec warned today that polyfill.io domain and service was purchased earlier this year by a Chinese company named ‘Funnull’ and the script has been modified to introduce malicious code on websites in a supply chain attack. Over 100,000 domains are affected. 🚨🚨🚨 TO SEE ALL AFFECTED ASSETS IONIX CUSTOMERS WILL NEED TO CLICK THE LAST 2 LINKS IN THE REFERENCES SECTION 🚨🚨🚨

• Bleeping Computer – Polyfill.io JavaScript supply chain attack impacts over 100K sites
• Sansec Threat Report on Polyfill.io
• NIST CVE-2024-3526
• 🚨🚨🚨 IONIX CUSTOMERS: List of all your assets which reference "polyfill.io"
• 🚨🚨🚨 IONIX CUSTOMERS: List of all your assets which reference "cdn.polyfill.io"

Adobe Commerce (MAGENTO) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

• Nist – CVE-2024-34102
• Adobe Security Bulletin

CVE-2024-4577 critical remote code execution vulnerability in the PHP programming language could potentially allow unauthenticated attackers to take full control of affected PHP servers.

The vulnerability arises from an oversight in the Best-Fit feature of encoding conversion within the Windows operating system during PHP implementation. This oversight allows attackers to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers via an argument injection attack, enabling unauthorized access and control.

• PHP security release on 06 Jun 2024

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and ‘sid’ parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

• CVE-2024-3495 at NIST
• Cyber Security Agency of Singapore – Critical Vulnerabilities in WordPress Plugins

CISA has added CVE-2023-7028 vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2023-7028 GitLab Community and Enterprise Editions Improper Access Control Vulnerability

• CISA Security Update

This vulnerability in the Automatic Plugin for WordPress, allows a SQL injection (SQLi) flaw and poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.
This vulnerability is being used to perform unauthorized database queries and create new admin accounts on susceptible WordPress sites
It impacts all versions of the plugin prior to 3.92.0. The issue has been resolved in version 3.92.1 released on February 27, 2024, although the release notes make no mention of it.

• CVE-2024-27956 at NIST

An OS Command Injection vulnerability in PAN GlobalProtect is being exploited in the wild. IONIX is now running a full exploit simulation for this vulnerability to better detect vulnerability devices.

PAN versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 impacted. loud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

PAN is in the process of releasing hotfixes to update the affected versions. At this time not all versions have a hotfix available. You should check with PAN to see if a hotfix is available.

Additionally, PAN customers with a Threat Prevention subscription can protect themselves enabling Threat ID 95187.

In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation.

• CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway
• Palo Alto Networks firewalls under attack – hotfixes incoming! (CVE-2024-3400)

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Exploits are available online and attempts to exploit the vulnerability were detected.

• Critical Security Flaw Found in Popular LayerSlider WordPress Plugin
• CVE-2024-2879 at NIST

Automatic, a WordPress plugin, in versions <= 3.92.0 is vulnerable to Unauthenticated Arbitrary File Download and Server-Side Request Forgery attacks. The security issue is easy to exploit and it is reported to be exploited in the wild.

Critical authentication bypass vulnerability in JetBrains TeamCity before 2023.11.4 allows to perform admin actions.
CISA recognized this vulnerability as exploited.

• CISA Adds One Known Exploited JetBrains Vulnerability CVE-2024-27198 to Catalog
• Recent TeamCity Vulnerability Exploited in Ransomware Attacks

According to Fortinet, the Fortinet FortiOS vulnerability (affecting also Fortinet VPN) CVE-2024-21762 allows attackers to execute unauthorized code or commands via specifically crafted requests and is potentially exploited in the wild.
CISA marked the vulnerability as exploited.

While a full exploit simulation is not available, the IONIX research team used a deeper version analysis to distinguish between patched versions and older, vulnerable ones.
The analysis leverages a change that was done in the patched version that blocks “chunk-encoded” malformed requests. Our testing tool sends multiple test requests to see that the assets are live and then sends a badly formed “chunk-encoded” probe that is expected to time out only on vulnerable versions.

• Critical Fortinet FortiOS flaw exploited in the wild (CVE-2024-21762)
• Fortinet: FortiOS/FortiProxy – Out-of-bound Write in sslvpnd
• CISA: Fortinet Releases Security Advisories for FortiOS

The Ultimate Member plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.
This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

• WordPress Plugin Alert – Critical SQLi Vulnerability Threatens 200K+ Websites

The ‘HTML5 Video Player’ WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function.

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
This leads to information leakage and potentially to remote code execution on the server.

• Jenkins Security Advisory 2024-01-24

Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

• PoC for easily exploitable Fortra GoAnywhere MFT vulnerability released (CVE-2024-0204)

An issue has been discovered in GitLab CE/EE, in which user account password reset emails could be delivered to an unverified email address resulting in Account Takeover via Password Reset without user interactions.
It is strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler.
The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

• CVE-2024-0352 in NIST