Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CVE-2025-41028 SQL injection in Epsilon RH is published
A critical unauthenticated SQL injection vulnerability, CVE-2025-41028, was published for Epsilon RH. The flaw affects the `/epsilonnetws/WSAvisos.asmx` endpoint via the `sEstadoUsr` parameter and could let remote attackers read or modify database records.
Metasploit pull request adds Vvveb CMS CVE-2025-8518 exploit module
A Metasploit Framework pull request was opened to add an authenticated remote code execution module for Vvveb CMS tied to CVE-2025-8518. This represents public technical enablement for exploitation of the vulnerability.
Theme Editor WordPress plugin RCE-related CSRF flaw published
CVE-2025-9890 was published for the WordPress Theme Editor plugin through version 3.0. The flaw stems from missing or incorrect nonce validation on the `theme_editor_theme` page and could allow remote code execution if an administrator is tricked into performing a malicious request.
Appointments WordPress plugin flaw is actively exploited in the wild
A critical unauthenticated PHP object injection vulnerability affecting the WordPress Appointments plugin through version 2.2.1 was reported as being actively exploited. Attackers were said to abuse deserialization of the `wpmudev_appointments` cookie and leverage the `WP_Theme()` class to create backdoors.
CVE-2025-11925 disclosed for BLU-IC2 and BLU-IC4 API content-type issue
A critical vulnerability, CVE-2025-11925, was published for BLU-IC2 and BLU-IC4 through version 1.19.5. The issue involves API endpoints returning `text/html` instead of `application/json`, creating a risk of HTML or JavaScript injection in responses, with remediation guidance to correct response headers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
CVE-2025-41028 - SQL injection in Epsilon RH
cvefeed.io
Open sourceCVE-2025-61932 - Lanscope Endpoint Manager RCE
cvefeed.io
Open sourceCVE-2025-31342 - Galaxy Software Services Vitals ESP Forum Module - Unrestricted Upload of File with Dangerous Type
cvefeed.io
Open sourceCVE-2025-62577 - Fsas Technologies Inc. ETERNUS SF Incorrect Default Permissions Privilege Escalation
cvefeed.io
Open sourceCVE-2017-20206 - Appointments <= 2.2.1 - Unauthenticated PHP Object Injection
cvefeed.io
Open sourceCVE-2017-20207 - Flickr Gallery <= 1.5.2 - Unauthenticated PHP Object Injection
cvefeed.io
Open sourceCVE-2017-20208 - RegistrationMagic - Custom Registration Forms <= 3.7.9.2 - PHP Object Injection
cvefeed.io
Open sourceCVE-2025-11925 - Incorrect Content-Type Header
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
Mar 21, 2026
Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Platforms
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including workflow automation tools, web applications, network devices, and desktop software. Notable issues include remote code execution (RCE) flaws in *n8n*, *Lilac-Reloaded for Nagios*, *FileZilla Client*, and *AVideo*, as well as privilege escalation vulnerabilities in products like *Versa SASE Client*, *AspEmail*, and *ActFax*. Several vulnerabilities allow unauthenticated attackers to upload arbitrary files, bypass authentication, or exploit weak session management, potentially leading to full system compromise or unauthorized access to sensitive data. Many of these vulnerabilities have public exploits available, increasing the risk of active exploitation in the wild. Vendors have released patches for several of the affected products, and administrators are strongly advised to update to the latest versions or apply recommended mitigations. The vulnerabilities span a variety of attack vectors, including buffer overflows, improper input validation, insecure file upload mechanisms, and misconfigured authentication endpoints. Organizations should prioritize patching systems exposed to the internet and review access controls to limit the impact of potential exploitation. Immediate attention is warranted for products with critical CVSS scores and those with known public exploits.
Mar 21, 2026
Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Products
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including network devices, workflow automation platforms, document management systems, and developer tools. Notable issues include command injection flaws in TRENDnet TEW-800MB routers (CVE-2025-15136, CVE-2025-15137), remote code execution vulnerabilities in Xspeeder SXZOS (CVE-2025-54322), Eigent (CVE-2025-68952), StreamVault (CVE-2025-66203), n8n (CVE-2025-68668), and Yealink T21P_E2 phones (CVE-2025-66738). Additional vulnerabilities involve authentication bypasses in IBM API Connect (CVE-2025-13915) and Eaton UPS Companion (CVE-2025-59887), a session token capture flaw in M-Files Server (CVE-2025-13008), prototype pollution in apidoc-core (CVE-2025-13158), and a blind SQL injection in Cloudlog (CVE-2024-44065). Several of these vulnerabilities allow for remote exploitation, with some exploits already publicly available. Vendors have responded with patches for many of the affected products, such as Eigent, StreamVault, lmdeploy, and n8n, while some issues remain with public exploits and no vendor response, as seen with TRENDnet. The vulnerabilities present risks ranging from arbitrary code execution and privilege escalation to unauthorized access and data exposure. Organizations using the affected products are strongly advised to review the relevant advisories, apply available patches, and implement recommended mitigations to reduce the risk of exploitation. The diversity and severity of these vulnerabilities underscore the importance of timely vulnerability management and monitoring for emerging threats across the software supply chain.
Mar 21, 2026