IONIX THREAT CENTER

A critical vulnerability, CVE-2026-21858 (nicknamed “Ni8mare”), affects the n8n workflow automation platform. The flaw stems from improper webhook/form-data request handling in n8n’s file processing path: a file handling function can be invoked without correctly verifying the Content-Type, enabling an unauthenticated remote attacker to manipulate req.body.files or submit specially crafted requests that expose arbitrary files and sensitive data.

This can lead to secret exfiltration, forged administrative access and in chained scenarios, remote code execution and full server compromise. Affected users are recommended to upgrade to the version 1.121.0 and later.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• n8n GitHub Security Advisory (GHSA-v4pr-fm98-w9pg)
• Cyera Research Labs – Ni8mare (CVE-2026-21858)

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process, potentially leading to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system‑level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0.
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE‑2025‑68613 at NIST

An Improper Verification of Cryptographic Signature vulnerability in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device.

A partial list of potentially affected Fortinet-related assets is outlined in this post. We understand that some assets may be unaffected by this vulnerability and will be updating this post with more accurate detection of potentially affected assets soon.

• CVE-2025-59719 at FortiGuard
• NIST

A critical security vulnerability (CVE-2025-55182) was disclosed in React Server Components in December 2025. The flaw affected the React Server DOM packages used to power Server Components and Server Functions in React 19. Specifically, the vulnerable versions were 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The issue allowed unauthenticated attackers to send crafted requests that could trigger remote code execution. In response, the React team released patched versions 19.0.1, 19.1.2, and 19.2.1, removed the affected builds from npm, coordinated with framework maintainers, and published detailed remediation guidance. Applications not using React Server Components or Server Functions are not impacted.
IONIX can detect the use of React Server Components in internet-facing web assets. This IONIX threat center post helps security teams identify potentially affected applications built with React affected versions.
Note: Additional assets may use React Server Components but may not appear in this post.

• React Blog
• CVE-2025-55182 at cve.org

An Unauthenticated Remote Code Execution vulnerability in the Identity Manager product of Oracle Fusion Middleware in versions 12.2.1.4.0 and 14.1.2.1.0. Allows unauthenticated attackers with network access via HTTP to compromise Identity Manager. Successful exploitation of this vulnerability can result in takeover of the Identity Manager instance.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. A partial list of potentially affected assets is outlined in this post.

• CVE‑2025‑61757 at NIST
• Oracle Critical Patch Update October 2025 Advisory

A critical path-traversal vulnerability, CVE-2025-64446, has been reported in Fortinet FortiWeb web application firewall (WAF) appliances. The flaw resides in the GUI component and can be triggered via crafted HTTP(S) requests that cause path confusion or directory traversal, enabling unauthenticated attackers to execute administrative commands or create unauthorized administrative accounts on affected devices. Public reporting and independent researchers confirmed successful exploitation against FortiWeb 8.0.1 (the issue was addressed in FortiWeb 8.0.2); multiple 7.x and 8.x builds were indicated as impacted in vendor release notes and community advisories. Evidence of active exploitation in the wild has been published by several security outlets and the issue has been prioritized for rapid remediation by US authorities.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-64446 at NIST
• FortiGuard PSIRT

CVE-2025-12480 is an improper access control vulnerability in Gladinet’s Triofox file-sharing and remote-access platform. The flaw allows unauthenticated remote actors to access application configuration/setup pages that should be protected, which can be leveraged to create administrative accounts, manipulate configuration (including the built-in anti-virus handling), upload malicious files, and ultimately execute arbitrary code on affected systems. The issue affects Triofox builds prior to the patched release (mitigated in 16.7.10368.56560); public reporting and threat intelligence indicate a high severity rating and active exploitation in the wild by threat actors.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Affected assets are outlined in this post.

• NIST
• Google Threat Intelligence

A critical remote code execution vulnerability (CVE-2025-59287) affects Microsoft Windows Server Update Services (WSUS). The flaw arises from deserialization of untrusted data, allowing an unauthenticated attacker with network access to send crafted serialized payloads and execute arbitrary code with SYSTEM privileges.
Microsoft rated the issue Critical (CVSS 9.8) and released out-of-band security updates on October 24, 2025, covering all supported Windows Server versions. Systems without the WSUS Server Role enabled are not affected. If patching is delayed, administrators can temporarily disable the WSUS role or block inbound traffic on ports 8530/8531 until updates are applied.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. We will update as soon as we have a list of potentially affected assets / confirmed findings.

• NIST NVD (CVE-2025-59287)
• Microsoft Security Update Guide – CVE-2025-59287

CVE-2025-53072 & CVE-2025-62481 Vulnerabilities in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.2.3 – 12.2.14. Easily exploitable vulnerabilities allow an unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of these vulnerabilities can result in takeover of Oracle Marketing.
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. A list of potentially affected assets is outlined in this post.

• CVE-2025-53072 at NIST
• CVE-2025-62481 at NIST
• Oracle Critical Patch Update Advisory

A large-scale breach of F5 Networks was disclosed after the company discovered long‑term, persistent access by a highly capable nation‑state actor to certain product development and engineering systems. The intruders exfiltrated portions of BIG‑IP source code and undisclosed vulnerability/bug information. Customers are highly recommended to apply the latest patches to F5 appliances. The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. A partial list of potentially affected assets is outlined in this post.

• F5 Vendor Advisory

A critical vulnerability, CVE-2025-49844 (dubbed “RediShell”), exists in Redis’s Lua scripting subsystem. The flaw is a use‑after‑free vulnerability in the embedded Lua interpreter that can allow an attacker who can execute Lua scripts (for example, via EVAL or modules) to escape the Lua sandbox and achieve arbitrary code execution on the underlying host. The issue traces back to code added in 2012 and affects Redis releases that include Lua scripting support; Redis published patches (6.2.20, 7.2.11, 7.4.6, 8.0.4 and 8.2.2) on October 3, 2025. The vulnerability is rated critical (CVSS 9.9) because successful exploitation can lead to full system compromise and persistence on affected hosts.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-49844 at NIST
• Redis Security Advisory (RediShell)
• Wiz research analysis

CVE-2025-61882 is a remote code execution vulnerability affecting the Oracle E-Business Suite. Oracle’s vendor advisory indicates the issue is remotely exploitable without authentication, meaning an attacker can target vulnerable E-Business Suite deployments over the network without valid credentials. Successful exploitation may allow RCE on the affected instance.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-61882 at NIST
• Oracle Vendor Advisory

CVE‑2025‑20333 is a vulnerability in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software allows an authenticated, remote attacker to execute arbitrary code on an affected device. The flaw results from improper validation of user-supplied input in HTTP(S) requests. With valid VPN credentials, an attacker can send crafted requests to the device and, upon successful exploitation, achieve root-level code execution — potentially leading to full device compromise.

CVE-2025-20362 is a medium-severity flaw in Cisco ASA and FTD VPN web servers that lets unauthenticated attackers access restricted URLs without authentication. With no workarounds available and exploitation attempts already observed, Cisco strongly recommends upgrading to a fixed release.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-20333 at NIST
• CVE-2025-20362 at NIST
• Cisco security advisory

A critical vulnerability, CVE-2025-10035, has been reported in Fortra’s GoAnywhere Managed File Transfer (MFT) platform. The issue is a deserialization flaw in the License Servlet component that can be triggered by a forged license response signature; when exploited it allows attacker-controlled objects to be deserialized, potentially leading to command injection and full system compromise. The vulnerability has been assigned a maximum CVSSv3.1 score of 10.0. Administrators should consult the vendor advisory for exact affected versions and the vendor-supplied fixes or mitigations and apply them immediately.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-10035 at NIST
• Fortra Security Advisory FI-2025-012
• Coverage — The Register

CVE-2025-58434 is a critical authentication/authorization vulnerability affecting Flowise (Cloud and self-hosted) versions 3.0.5 and earlier. The application’s forgot-password endpoint returns a valid password reset temporary token (tempToken) in the API response without requiring proper authentication or verification, allowing any remote attacker to generate or obtain reset tokens for arbitrary users and immediately reset their passwords. Successful exploitation can lead to full account takeover, unauthorized access to saved flows and data, and potential lateral movement or persistence within impacted deployments.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE at NIST
• Flowise GitHub Advisory

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application’s confidentiality, integrity, and availability.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

• CVE-2025-42944 at NIST
• SAP Security Note

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This issue also affects any token with “project get” permissions, including global roles such as p, role/user, projects, get, *, allow. Fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. A partial list of potentially affected assets is listed in this post.

• CVE-2025-55190 at NIST
• Argo CD Security Advisory

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching.

• NVD
• GitHub Security Advisory
• FreePBX Community Advisory

A memory overflow vulnerability in NetScaler ADC and NetScaler Gateway may allow Remote Code Execution or Denial of Service when configured as Gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It also affects LB virtual servers of type HTTP, SSL, or HTTP_QUIC bound to IPv6 services or service groups.
It affects versions 13.1 before 13.1-59.22, 14.1 before 14.1-47.48, 13.1-FIPS and NDcPP before 13.1-37.241, and 12.1-FIPS and NDcPP before 12.1-55.330.
Exploits of CVE-2025-7775 on unmitigated appliances have been observed in the wild.
The IONIX research team is tracking ongoing exploitation attempts and recommends follow the vendor security bulletin. Potentially affected assets are outlined in this post.

• CVE-2025-7775 at Nist
• Citrix Security Bulletin

A critical vulnerability, CVE-2025-57789, has been identified in Commvault Backup and Replication software prior to version 11.36.60. During the short window between installation and the first administrator login, remote attackers may exploit the default credential to gain administrative control. This issue is limited to the setup phase, before any jobs have been configured. Exploitation of this vulnerability can lead to remote code execution (RCE) via CVE-2025-57790, which is a post-authentication RCE.

• Vendor Advisory
• NIST Advisory

A critical vulnerability, CVE-2025-57791, has been identified in Commvault Backup and Replication software prior to version 11.36.60. Due to command-line argument injection being passed to authentication components without sufficient sanitization, it is possible to bypass authentication and gain administrative privileges. Exploitation of this vulnerability can lead to remote code execution (RCE) via CVE-2025-57790, which is a post-authentication RCE.

• Vendor Advisory
• NIST Advisory

A critical vulnerability, CVE-2025-25256, has been identified in FortiSIEM, where an OS command injection flaw allows attackers to execute arbitrary system commands remotely. The flaw arises from insufficient input sanitization in command processing, which can lead to full system compromise and unauthorized access when exploited.
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching according to the advisory. Potentially affected assets are detailed in this post.

• CVE-2025-25256 at NIST
• Fortinet Advisory

A critical vulnerability CVE-2025-54253 has been identified in Adobe Experience Manager (AEM) Forms, in versions 6.5.23 and earlier, where a misconfiguration allows attackers to remotely execute arbitrary code on the impacted server. Exploitation of this flaw can lead to unauthorized access and compromise of sensitive customer data, posing significant risks to confidentiality and system integrity. Organizations using AEM Forms are strongly advised to review their current deployment and apply the necessary patches to mitigate this risk.

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Affected assets are outlined in this post.

• CVE-2025-54253 At NIST
• Adobe Vendor Advisory

A critical vulnerability, CVE-2025-53770, affects on-premises deployments of Microsoft SharePoint Server. The flaw stems from insecure deserialization of untrusted data, allowing unauthorized attackers to remotely execute arbitrary code over the network. Microsoft has confirmed that this vulnerability is actively being exploited in the wild. While a comprehensive security update is undergoing testing, Microsoft has issued interim mitigation guidance to reduce exposure. IONIX urges organizations to apply these mitigations immediately to protect vulnerable SharePoint instances from exploitation.

• CVE-2025-53770 at NIST
• Microsoft Security Advisory

An improper neutralization of special elements used in an SQL command in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. The vulnerability can be further escalated to a Remote Code Execution. The IONIX research team validated the impact through successful exploit reproduction, as detailed in this advisory.

• Mitre
• Vendor Advisory

A critical vulnerability, CVE-2025-5777, has been identified in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The flaw is a memory over-read caused by insufficient input validation, which can allow unauthenticated attackers to extract valid session tokens from memory. It affects multiple versions prior to 14.1-43.56 and 13.1-58.32. The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially exposed assets are outlined in this post.

• CVE-2025-5777 at Nist
• Citrix Security Bulletin

A critical vulnerability, CVE-2025-6543, has been identified in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This vulnerability is a memory overflow that may lead to unintended control flow and denial of service (DoS). It affects multiple versions prior to 14.1-47.46 and 13.1-59.19. Public exploitation has been observed, with reports indicating active targeting in the wild. The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially exposed assets are outlined in this post.

• CVE-2025-6543 at Nist
• Citrix Security Bulletin

A critical vulnerability, CVE-2025-30220, has been identified in GeoServer’s Web Feature Service (WFS), impacting versions 2.27.0, 2.26.0 through 2.26.2, and all versions up to 2.25.6. The flaw originates from the underlying GeoTools library (gt-xsd-core), which mishandles XML parsing by bypassing the intended AllowListEntityResolver. This allows unauthenticated attackers to submit specially crafted XML payloads containing external entity definitions, leading to XML External Entity (XXE) injection. The vulnerability enables remote, unauthenticated exploitation that compromises confidentiality and internal network isolation. The issue also affects dependent systems such as GeoNetwork and the GeoTools WFS-NG datastore. Patched versions have been released for GeoServer (2.27.1, 2.26.3, 2.25.7), GeoTools (33.1, 32.3, 31.7, 28.6.1), and GeoNetwork (4.4.8, 4.2.13). The IONIX research team confirmed the vulnerability and validated the risk through successful exploit reproduction, as detailed in this advisory.

• CVE-2025-30220 at NIST

A critical vulnerability, CVE-2025-4009, has been identified in Evertz SDVN 3080ipx-10G and other devices leveraging the webEASY (ewb) management interface. This flaw affects all current versions and arises from a combination of an authentication bypass and unauthenticated command injection in administrative endpoints. By crafting a specially encoded JSON token, attackers can gain unauthorized administrative access. Leveraging this access, they can exploit the feature-transfer-import.php and feature-transfer-export.php endpoints to inject arbitrary system commands. This vulnerability enables unauthenticated remote code execution (RCE) as root on affected devices, potentially allowing full system takeover, disruption of broadcast workflows, and lateral movement within media infrastructure networks. The IONIX research team validated the impact through successful exploit reproduction, as detailed in this advisory.

• CVE-2025-4009 at NIST

A critical vulnerability, CVE-2025-34027, has been identified in the Versa Concerto SD-WAN orchestration platform, affecting versions 12.1.2 through 12.2.0. This flaw results from a misconfiguration in the Traefik reverse proxy that enables authentication bypass, granting unauthorized access to administrative endpoints. Exploiting the vulnerable Spack upload endpoint, attackers can leverage a Time-of-Check to Time-of-Use (TOCTOU) race condition to manipulate file paths during load operations. This enables unauthenticated remote code execution (RCE) on the underlying system. The IONIX research team confirmed the impact through controlled exploit validation, as detailed in this post.

• CVE-2025-34027 at NIST

A critical remote code execution (RCE) chain, involving CVE-2025-4427 and CVE-2025-4428, has been identified in Ivanti Endpoint Manager Mobile (EPMM) versions up to 12.5.0.0. CVE-2025-4427 allows unauthenticated attackers to bypass authentication controls via the API component, granting access to otherwise protected resources. Chaining this with CVE-2025-4428, attackers with API access can craft malicious requests to execute arbitrary code on the underlying system. The exploitation of this pre-auth RCE chain poses a severe risk of full system compromise. Ivanti has released security updates to address both flaws, and immediate patching is strongly recommended. The IONIX research team successfully validated the attack vector in a controlled environment, as detailed in this post.

• CVE-2025-4427 at NIST
• CVE-2025-4428 at NIST
• Ivanti EPMM Security Advisory

A critical vulnerability, CVE-2025-2775, has been identified in SysAid On-Prem versions ≤ 23.3.40, exposing the platform to an unauthenticated XML External Entity (XXE) injection flaw within the Checkin processing functionality. This vulnerability allows remote attackers to exploit XML parsing behavior to read arbitrary files from the server or gain access to sensitive information, including administrator credentials. Successful exploitation can lead to full administrative account takeover and further system compromise. SysAid has released a security advisory urging immediate patching. The IONIX research team verified the vulnerability’s impact through exploit simulation, detailed in this post.

• CVE-2025-2775 at NIST
• Vendor advisory
• IONIX Blog

A critical vulnerability, CVE-2025-31324, has been identified in SAP NetWeaver Visual Composer, allowing unauthenticated remote code execution via the Metadata Uploader component. This flaw arises from improper authentication checks, enabling attackers to send crafted HTTP/HTTPS requests to upload malicious binaries. Successful exploitation can result in complete system compromise. The issue affects all SAP NetWeaver 7.xx versions. Users are strongly advised to apply the emergency patch released by SAP. The IONIX research team verified the vulnerability’s impact through exploit simulation, detailed in this post.

• Nist – CVE-2024-28995
• IONIX – Exploited! SAP NetWeaver Visual Composer Unauthenticated File-Upload Vulnerability
• The Hacker News – New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell Brute Ratel Framework

A critical vulnerability, CVE-2025-32433, has been discovered in the SSH server implementation within Erlang/OTP, allowing unauthenticated remote code execution through malformed SSH messages. This flaw arises from improper handling of protocol messages before authentication is completed, enabling attackers to send crafted payloads that the server processes unsafely. If the SSH daemon is running with elevated privileges, successful exploitation can result in complete system compromise. The issue affects multiple Erlang/OTP branches, including versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. In environments where immediate patching is not feasible, administrators should consider disabling SSH temporarily or applying strict network access controls. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post.

• CVE-2025-32433 at NIST
• Erlang Security Advisories

A critical vulnerability, CVE-2025-2825, has been identified in CrushFTP. This vulnerability allows remote unauthenticated access via specially crafted HTTP(S) requests, bypassing authentication checks through a flaw in the loginCheckHeaderAuth() method. It affects instances with S3-compatible API access enabled and can be exploited with knowledge of a valid username. This issue has been patched in CrushFTP 11.3.1, and users are strongly advised to upgrade. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post.

• CVE-2025-2825 at NIST
• The Hacker News

A series of critical vulnerabilities (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098 and CVE-2025-24514) have been identified in the Ingress NGINX Controller for Kubernetes. These vulnerabilities allow unauthenticated remote code execution (RCE) via crafted requests to the Validating Admission Controller and admission controller components of ingress-nginx. Exploitation of these vulnerabilities can lead to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster, potentially resulting in a complete cluster takeover. These issues have been patched in Ingress NGINX versions 1.12.1 and 1.11.5, users are strongly advised to upgrade. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure.

• CVE-2025-1974 at NIST
• CVE-2025-1097 at NIST
• CVE-2025-1098 at NIST
• CVE-2025-24514 at NIST
• Wiz Research Team

A critical authentication bypass vulnerability has been identified in Kentico Xperience CMS versions prior to 13.0.173. The vulnerability stems from an issue in the staging endpoint /CMSPages/Staging/SyncServer.asmx that allows attackers to forge requests and bypass authorization controls.
This vulnerability can be exploited to gain full control over affected Xperience instances, specifically those with staging enabled and configured to use username and password authentication. Instances using X.509 certificate-based authentication are not affected. The findings are detailed in this post. Kentico has released a hotfix addressing this vulnerability.

• Cyber Security News Kentico Xperience CMS
• Kentico Hotfix 13.0.173

A critical vulnerability, CVE-2025-24893, has been identified in XWiki Platform. This vulnerability allows unauthenticated remote code execution (RCE) via crafted requests to the SolrSearch endpoint, embedding Groovy script execution within the search query parameters. It impacts the confidentiality, integrity, and availability. This issue has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1, and users are strongly advised to upgrade. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post.

• CVE-2025-24893 at NIST
• Vendor advisory

A critical Authentication Bypass vulnerability has been identified in FortiOS and FortiProxy, allowing remote attackers to gain super-admin privileges via crafted requests to the Node.js WebSocket module. Affected versions include FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Reports indicate that this vulnerability is being actively exploited in the wild.
Indicators of compromise include the creation of suspicious new admin users with six-character random strings (e.g., Gujhmk, Ypda8a). Additionally, attackers have been observed using the following IPs: 45.55.158.47, 87.249.138.47, 155.133.4.175, 37.19.196.65, and 149.22.94.37.
The IONIX research team is actively monitoring the situation and will provide updates if a public exploit becomes available. Meanwhile, the list of potentially impacted assets can be found in this post. For detailed guidance, refer to Fortinet’s Upgrade Tool and follow the provided workaround instructions.

• CVE-2024-55591 at Nist
• Fortiguard Advisory
• Fortinet's Upgrade Tool

A critical vulnerability, CVE-2024-50603, has been identified in Aviatrix Controller versions prior to 7.1.4191 and 7.2.x versions prior to 7.2.4996. This vulnerability stems from the improper neutralization of special elements used in OS commands, allowing an unauthenticated attacker to execute arbitrary code. Exploitation is possible by sending shell metacharacters to the /v1/api endpoint in the cloud_type parameter for list_flightpath_destination_instances or the src_cloud_type parameter for flightpath_connection_test. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post

• Vendor release notices
• NIST NVD Entry

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

• Vendor advisory
• NIST NVD Entry

The Mitel Collab Arbitrary File Read Vulnerability, combining CVE-2024-41713 and another yet-to-be-assigned issue, allows unauthenticated attackers to remotely and easily exploit the system to read arbitrary files from the underlying file system of a Mitel Collab server. By sending specially crafted requests, attackers can bypass access controls and retrieve sensitive files due to improper input validation and directory traversal flaws. To mitigate this vulnerability, follow the vendor advisory for CVE-2024-41713, ensuring the application properly validates and sanitizes user input to prevent directory traversal attacks.

• Mitel MiCollab zero-day flaw gets proof-of-concept exploit
• Mitel MiCollab zero-day and PoC exploit unveiled
• Mitel Product Security Advisory for CVE-2024-41713

• Exploitable! CVE-2024-0012 Authentication Bypass for PAN-OS – Blog
• CVE-2024-0012 at NIST
• Vendor advisory
• Vendor best practice
• CVE-2024-0012 at CISA

• CVE-2024-10924 Explained: Security plugin flaw in millions of WordPress sites – Blog
• CVE-2024-10924 at NIST
• Security plugin flaw in millions of WordPress sites gives admin access

Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

The vulnerability is extremely easy to exploit and is marked by CISA as exploitable.

• Vendor advisory
• CISA: Ivanti Releases Admin Bypass Security Update for Cloud Services Appliance

CyberPanel is a free and open-source control panel for Linux servers, designed to simplify web hosting and server management tasks.
A recent vulnerability was discovered in CyberPanel, allowing an easy remote code execution on the affected machines.

The vulnerability is known to be exploited in the wild and an exploit is publicly available.

We recommend to upgrade to the latest version available and follow the referenced vendor’s advisory (Github patch is referenced).

• Details and fix of recent security issue and patch of CyberPanel
• What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE
• Github patch

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.

Cisa marked this vulnerability as exploited.

• Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)
• CISA Adds One Known Exploited Vulnerability to Catalog

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

CISA marked this vulnerability as known exploited.

As of now, IONIX marked assets as potentially affected, if they are known to be running FortiOS, or a technology that implies FortiOS with high probability.

• Vendor advisory: Format String Bug in fgfmd
• CISA Adds Three Known Exploited Vulnerabilities to Catalog
• CISA says critical Fortinet RCE flaw now exploited in attacks

CUPS (Common UNIX Printing System) is a standards-based, open-source printing system. Recent several vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) were discovered and are potentially allowing hackers to remotely run code on machines that expose the service over UDP (usually, on port 631).

It is recommended to block ports for UDP. It is a good practice to avoid open IPP services also over UDP.

As checking for affected UDP open services triggers a connection from the vulnerable machine to the attacking system, and relying on the fact that most of the detected vulnerable systems over UDP had open IPP service over TCP on the same port, IONIX marks assets as potentially affected based on services with open IPP ports (TCP). Notice, that having IPP service publicly open is also not a good practice, and we recommend to close it as well.

• Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution
• CUPS flaws enable Linux remote code execution but there’s a catch
• Critical CUPS Vulnerabilities Expose Linux and Other Systems to Remote Attacks

The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.

• Nist – CVE-2024-8752

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records.

• CVE-2024-8503 at NIST

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

• CVE-2024-40711 at NIST
• Veeam Security Bulletin September 2024

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

• CVE-2024-6670 at NIST
• WhatsUp Gold Security Bulletin August 2024

• CVE-2024-7593 at NIST
• Security Advisory for CVE-2024-7593
• Exploited: Ivanti Virtual Traffic Manager (VTM) (CVE-2024-7593)

The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.

• CVE-2024-6205 at NIST

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions.

• National Vulnerability Database: CVE-2024-36401

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

• National Vulnerability Database: CVE-2024-5217
• Servicenow support

• Bleeping Computer – Polyfill.io JavaScript supply chain attack impacts over 100K sites
• Sansec Threat Report on Polyfill.io
• NIST CVE-2024-3526
• CVE – 2024-38526 – Polyfill Supply Chain Attack For Malicious Code Execution

Adobe Commerce (MAGENTO) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

• Nist – CVE-2024-34102
• Adobe Security Bulletin

CVE-2024-4577 critical remote code execution vulnerability in the PHP programming language could potentially allow unauthenticated attackers to take full control of affected PHP servers.

The vulnerability arises from an oversight in the Best-Fit feature of encoding conversion within the Windows operating system during PHP implementation. This oversight allows attackers to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers via an argument injection attack, enabling unauthorized access and control.

• PHP security release on 06 Jun 2024

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and ‘sid’ parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

• CVE-2024-3495 at NIST
• Cyber Security Agency of Singapore – Critical Vulnerabilities in WordPress Plugins

CISA has added CVE-2023-7028 vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2023-7028 GitLab Community and Enterprise Editions Improper Access Control Vulnerability

• CISA Security Update

This vulnerability in the Automatic Plugin for WordPress, allows a SQL injection (SQLi) flaw and poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.
This vulnerability is being used to perform unauthorized database queries and create new admin accounts on susceptible WordPress sites
It impacts all versions of the plugin prior to 3.92.0. The issue has been resolved in version 3.92.1 released on February 27, 2024, although the release notes make no mention of it.

• CVE-2024-27956 at NIST

An OS Command Injection vulnerability in PAN GlobalProtect is being exploited in the wild. IONIX is now running a full exploit simulation for this vulnerability to better detect vulnerability devices.

PAN versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 impacted. loud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

PAN is in the process of releasing hotfixes to update the affected versions. At this time not all versions have a hotfix available. You should check with PAN to see if a hotfix is available.

Additionally, PAN customers with a Threat Prevention subscription can protect themselves enabling Threat ID 95187.

In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation.

• CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway
• Palo Alto Networks firewalls under attack – hotfixes incoming! (CVE-2024-3400)

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Exploits are available online and attempts to exploit the vulnerability were detected.

• Critical Security Flaw Found in Popular LayerSlider WordPress Plugin
• CVE-2024-2879 at NIST

Automatic, a WordPress plugin, in versions <= 3.92.0 is vulnerable to Unauthenticated Arbitrary File Download and Server-Side Request Forgery attacks. The security issue is easy to exploit and it is reported to be exploited in the wild.

Critical authentication bypass vulnerability in JetBrains TeamCity before 2023.11.4 allows to perform admin actions.
CISA recognized this vulnerability as exploited.

• CISA Adds One Known Exploited JetBrains Vulnerability CVE-2024-27198 to Catalog
• Recent TeamCity Vulnerability Exploited in Ransomware Attacks

According to Fortinet, the Fortinet FortiOS vulnerability (affecting also Fortinet VPN) CVE-2024-21762 allows attackers to execute unauthorized code or commands via specifically crafted requests and is potentially exploited in the wild.
CISA marked the vulnerability as exploited.

While a full exploit simulation is not available, the IONIX research team used a deeper version analysis to distinguish between patched versions and older, vulnerable ones.
The analysis leverages a change that was done in the patched version that blocks “chunk-encoded” malformed requests. Our testing tool sends multiple test requests to see that the assets are live and then sends a badly formed “chunk-encoded” probe that is expected to time out only on vulnerable versions.

• Critical Fortinet FortiOS flaw exploited in the wild (CVE-2024-21762)
• Fortinet: FortiOS/FortiProxy – Out-of-bound Write in sslvpnd
• CISA: Fortinet Releases Security Advisories for FortiOS

The Ultimate Member plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.
This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

• WordPress Plugin Alert – Critical SQLi Vulnerability Threatens 200K+ Websites

The ‘HTML5 Video Player’ WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function.

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
This leads to information leakage and potentially to remote code execution on the server.

• Jenkins Security Advisory 2024-01-24

Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

• PoC for easily exploitable Fortra GoAnywhere MFT vulnerability released (CVE-2024-0204)

An issue has been discovered in GitLab CE/EE, in which user account password reset emails could be delivered to an unverified email address resulting in Account Takeover via Password Reset without user interactions.
It is strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler.
The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

• CVE-2024-0352 in NIST