All news with #actively exploited tag

CISA Warns of Critical CentOS Web Panel RCE Exploit

⚠️ CISA warns that a critical remote command execution vulnerability, tracked as CVE-2025-48703, is being exploited in the wild against CentOS Web Panel (CWP). The flaw impacts all CWP versions before 0.9.8.1204 and allows unauthenticated attackers who know a valid username to inject shell commands via the file-manager changePerm t_total parameter. The vendor fixed the issue in 0.9.8.1205, and federal agencies have until Nov 25 under BOD 22-01 to remediate or stop using the product.

Critical Auth Bypass in JobMonster WordPress Theme Attack

🔒 Threat actors are actively exploiting a critical authentication bypass in the JobMonster WordPress theme (CVE-2025-5397) that can lead to administrator account takeover under specific conditions. The flaw affects all versions up to 4.8.1 and is caused by the theme's check_login() function trusting external social login data without proper verification. To succeed, attackers typically need social login enabled and knowledge of an admin username or email. The issue is fixed in 4.8.2; immediate mitigations include upgrading, disabling social login, enabling two‑factor authentication, rotating credentials, and reviewing access logs.

Australia warns of BadCandy infections on Cisco devices

⚠️ The Australian Signals Directorate warns of ongoing attacks against unpatched Cisco IOS XE devices being backdoored with the Lua-based BadCandy webshell. The exploited flaw, CVE-2023-20198, allows unauthenticated actors to create local admin accounts via the web UI and execute commands with root privileges. Cisco issued a patch in October 2023, but many internet-exposed devices remain vulnerable and have been repeatedly re-infected.

ToolShell SharePoint Exploit Hits Organizations Worldwide

⚠️ Symantec reports that hackers linked to China exploited the ToolShell vulnerability (CVE-2025-53770) in on-premise Microsoft SharePoint servers to target government agencies, universities, telecommunications providers, and financial firms across four continents. The zero-day, disclosed on July 20, was used to plant webshells and enable remote code execution. Attackers deployed DLL side-loading to load a Go backdoor named Zingdoor, later chained to ShadowPad, KrustyLoader, and the Sliver framework, and performed credential dumping and PetitPotam abuse to escalate to domain compromise.

Oracle Quietly Fixes E-Business Suite SSRF Zero-Day

🔒 Oracle released an out-of-band security update addressing a pre-authentication SSRF vulnerability (CVE-2025-61884) in E-Business Suite after a proof-of-concept exploit was leaked by the ShinyHunters group. The update validates attacker-supplied return_url values with a strict regex to block injected CRLFs and other malformed inputs. Researchers from watchTowr Labs, and multiple customers, confirmed the patch closes the SSRF component that remained after Oracle's earlier Oct. 4 emergency updates. Customers should apply the update immediately or implement a temporary mod_security rule blocking access to /configurator/UiServlet.

Surge in Scans Targeting Palo Alto Network Login Portals

🔍 GreyNoise has observed a roughly 500% rise in IP addresses scanning Palo Alto Networks login portals, primarily emulating GlobalProtect and PAN-OS profiles. Activity peaked on October 3 with more than 1,285 unique IPs—typical daily scans are usually under 200—while most sources were geolocated to the United States with smaller clusters in the UK, Netherlands, Canada, and Russia. GreyNoise classified 91% of the IPs as suspicious and 7% as malicious, noting clusters with distinct TLS fingerprints and warning this reconnaissance could precede exploitation attempts; administrators should verify device exposure and monitoring.

HexStrike‑AI Enables Rapid N‑Day Exploitation of Citrix

🔒 HexStrike-AI, an open-source red‑teaming framework, is being adopted by malicious actors to rapidly weaponize newly disclosed Citrix NetScaler vulnerabilities such as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Check Point Research reports dark‑web chatter and evidence of automated exploitation chains that scan, exploit, and persist on vulnerable appliances. Defenders should prioritize immediate patching, threat intelligence, and AI-enabled detection to reduce shrinking n‑day windows.