Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation.
Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
WordPress CVE-2025-6389 reported under active exploitation
A critical WordPress vulnerability, CVE-2025-6389, was disclosed as allowing unauthenticated remote code execution, with reports that attackers were already actively exploiting the flaw.
Next.js maximum-severity RCE CVE-2025-66478 disclosed
A critical remote code execution flaw in Next.js, CVE-2025-66478, was disclosed with a CVSS score of 10.0, indicating maximum severity and significant risk to affected deployments.
Vim for Windows CVE-2025-66476 disclosed
A high-severity Vim for Windows vulnerability, CVE-2025-66476, was reported as risking arbitrary code execution when users interact with compromised folders.
Synology BeeStation flaw chain with root RCE and PoC revealed
A Synology BeeStation exploit chain combining SQL injection with a novel dirty file write technique was disclosed as leading to root remote code execution, and a proof-of-concept was made available.
WP Directory Kit CVE-2025-13390 disclosed as auth bypass to admin takeover
CVE-2025-13390 was published for WP Directory Kit versions through 1.4.4, describing a predictable auto-login token weakness that allows unauthenticated attackers to bypass authentication and gain administrative access.
ACF Extended CVE-2025-13486 exposes 100,000 WordPress sites to RCE
A critical flaw in the ACF Extended WordPress plugin, CVE-2025-13486, was disclosed as allowing unauthenticated remote code execution and affecting roughly 100,000 sites.
Critical cPanel traversal and LPE flaw disclosed
A critical cPanel vulnerability with CVSS 9.3 was reported as enabling directory traversal and local privilege escalation, potentially leading to full server takeover in shared hosting environments.
Elementor plugin flaw CVE-2025-8489 reported under active exploitation
A critical Elementor plugin vulnerability, CVE-2025-8489, was disclosed with a CVSS score of 9.8 and reports of active exploitation enabling unauthenticated administrator takeover.
Django SQL injection flaw CVE-2025-13372 disclosed
A vulnerability in Django, tracked as CVE-2025-13372, was reported as allowing SQL injection through PostgreSQL FilteredRelation handling.
CISA warns of critical Longwatch OT surveillance RCE
CISA issued a warning for CVE-2025-13658, a critical Longwatch vulnerability rated CVSS 9.8 that could allow unauthenticated attackers to gain SYSTEM-level control of OT surveillance deployments.
lz4-java CVE-2025-12183 prompts migration to community fork
A high-severity vulnerability, CVE-2025-12183, was reported in the discontinued lz4-java library, with users urged to migrate to a community-maintained fork because the original project is no longer maintained.
nopCommerce session flaw CVE-2025-11699 reported
CVE-2025-11699 in nopCommerce was disclosed as a session management flaw that could allow attackers to reuse admin session cookies after logout and take over administrator accounts.
OpenVPN fixes critical heap over-read and HMAC bypass flaws
A report disclosed critical OpenVPN vulnerabilities including a heap over-read rated CVSS 9.1 and an HMAC bypass issue that could enable denial-of-service attacks, indicating fixes were made available.
Apache Struts file leak vulnerability CVE-2025-64775 disclosed
A new Apache Struts vulnerability, CVE-2025-64775, was identified and reported as a file leak issue that could let attackers exhaust disk space on affected systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
Maximum Severity Alert: Critical RCE Flaw Hits Next.js (CVE-2025-66478, CVSS 10.0)
securityonline.info
Open sourceHigh-Severity Vim for Windows Flaw (CVE-2025-66476) Risks Arbitrary Code Execution from Compromised Folders
securityonline.info
Open sourceCritical WordPress Flaw (CVE-2025-6389) Under Active Exploitation Allows Unauthenticated RCE
securityonline.info
Open sourceSynology BeeStation Flaw Chain Leads to Root RCE Via Novel “Dirty File Write” SQL Injection, PoC Available
securityonline.info
Open sourceCritical Elementor Plugin Flaw (CVE-2025-8489, CVSS 9.8) Under Active Exploitation Allows Unauthenticated Admin Takeover
securityonline.info
Open sourceCVE-2025-64775: Apache Struts “File Leak” Vulnerability Threatens Disk Exhaustion
securityonline.info
Open sourcenopCommerce Flaw (CVE-2025-11699) Allows Admin Takeover by Reusing Session Cookies After Logout
securityonline.info
Open sourceCritical OpenVPN Flaws Fix: Heap Over-Read (CVSS 9.1) and HMAC Bypass Allow DoS Attacks
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
Mar 21, 2026
Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Platforms
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including workflow automation tools, web applications, network devices, and desktop software. Notable issues include remote code execution (RCE) flaws in *n8n*, *Lilac-Reloaded for Nagios*, *FileZilla Client*, and *AVideo*, as well as privilege escalation vulnerabilities in products like *Versa SASE Client*, *AspEmail*, and *ActFax*. Several vulnerabilities allow unauthenticated attackers to upload arbitrary files, bypass authentication, or exploit weak session management, potentially leading to full system compromise or unauthorized access to sensitive data. Many of these vulnerabilities have public exploits available, increasing the risk of active exploitation in the wild. Vendors have released patches for several of the affected products, and administrators are strongly advised to update to the latest versions or apply recommended mitigations. The vulnerabilities span a variety of attack vectors, including buffer overflows, improper input validation, insecure file upload mechanisms, and misconfigured authentication endpoints. Organizations should prioritize patching systems exposed to the internet and review access controls to limit the impact of potential exploitation. Immediate attention is warranted for products with critical CVSS scores and those with known public exploits.
Mar 21, 2026
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
Several critical vulnerabilities have been disclosed affecting a range of widely used software platforms, including the Linux InputPlumber component, Apache Uniffle, legacy Vivotek cameras, Ubuntu Linux Kernel, Apache Struts 2, and React Router. Each vulnerability presents unique risks, such as remote code execution, information disclosure, privilege escalation, and unauthorized access, potentially impacting both enterprise and consumer environments. Security advisories urge immediate attention to patching and mitigation, as attackers could exploit these flaws to compromise systems, intercept sensitive data, or disrupt operations. The Ubuntu Linux Kernel advisory details multiple CVEs affecting various LTS versions, with potential impacts including denial of service, elevation of privilege, and information disclosure. Other reports highlight specific vulnerabilities: InputPlumber flaws could allow hijacking of Linux gaming sessions, Apache Uniffle and Struts 2 flaws expose clusters and data to eavesdropping and leakage, React Router's CVE-2025-61686 could lead to server file exposure, and unpatched Vivotek cameras are broadcasting live video feeds publicly. Organizations are advised to review vendor advisories and apply security updates promptly to mitigate these threats.
Mar 21, 2026