Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Products
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including network devices, workflow automation platforms, document management systems, and developer tools. Notable issues include command injection flaws in TRENDnet TEW-800MB routers (CVE-2025-15136, CVE-2025-15137), remote code execution vulnerabilities in Xspeeder SXZOS (CVE-2025-54322), Eigent (CVE-2025-68952), StreamVault (CVE-2025-66203), n8n (CVE-2025-68668), and Yealink T21P_E2 phones (CVE-2025-66738). Additional vulnerabilities involve authentication bypasses in IBM API Connect (CVE-2025-13915) and Eaton UPS Companion (CVE-2025-59887), a session token capture flaw in M-Files Server (CVE-2025-13008), prototype pollution in apidoc-core (CVE-2025-13158), and a blind SQL injection in Cloudlog (CVE-2024-44065). Several of these vulnerabilities allow for remote exploitation, with some exploits already publicly available.
Vendors have responded with patches for many of the affected products, such as Eigent, StreamVault, lmdeploy, and n8n, while some issues remain with public exploits and no vendor response, as seen with TRENDnet. The vulnerabilities present risks ranging from arbitrary code execution and privilege escalation to unauthorized access and data exposure. Organizations using the affected products are strongly advised to review the relevant advisories, apply available patches, and implement recommended mitigations to reduce the risk of exploitation. The diversity and severity of these vulnerabilities underscore the importance of timely vulnerability management and monitoring for emerging threats across the software supply chain.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
16 events from the most recent confirmed update back to the earliest known activity.
Second TRENDnet TEW-800MB command injection flaw disclosed in NTPSyncWithHost.cgi
CVE-2025-15137 was published for TRENDnet TEW-800MB, describing remote command injection in the NTPSyncWithHost.cgi sub_F934 function. The advisory noted public exploit availability and that no official patch or vendor response had been provided as of publication.
TRENDnet TEW-800MB wizardset command injection disclosed without vendor response
CVE-2025-15136 was published for TRENDnet TEW-800MB 1.0.1.0, where the do_setWizard_asp function in /goform/wizardset could be abused for remote command execution via the WizardConfigured argument. The disclosure said the vendor had been notified but had not responded, and public exploits were already available.
PHP patches PDO PostgreSQL null pointer dereference across supported branches
CVE-2025-14180 was published for multiple PHP branches using the PDO PostgreSQL driver with emulated prepares enabled, where invalid character sequences could trigger a null pointer dereference and crash. PHP maintainers released fixes for affected versions and advised immediate upgrades.
Xspeeder SXZOS unauthenticated root RCE vulnerability published
CVE-2025-54322 was disclosed for Xspeeder SXZOS, allowing unauthenticated attackers to execute root-level commands through base64-encoded Python code in the chkid parameter of vLogin.py. The advisory recommended sanitizing input, restricting access, and updating to the latest version.
Eigent 1-click RCE vulnerability fixed in version 0.0.61
CVE-2025-68952 was disclosed for Eigent 0.0.60, describing a one-click remote code execution flaw that could execute arbitrary code on a victim machine or server after a single user interaction. The issue was patched in version 0.0.61, and public GitHub PoC material was referenced.
StreamVault authenticated RCE disclosed and patched in version 251126
CVE-2025-66203 was published for StreamVault versions prior to 251126, where authenticated administrators could inject malicious yt-dlp arguments through /admin/api/saveConfig and achieve remote code execution. The vendor patched the issue in version 251126 and public advisories and PoC material were available.
M-Files discloses session token capture flaw and releases patched versions
CVE-2025-13008 was disclosed for M-Files Server's web interface, allowing authenticated attackers to capture and reuse session tokens from other active users. Patched versions were released across affected branches, and organizations were urged to prioritize updates and monitor for abuse.
LMDeploy patches insecure deserialization flaw in version 0.11.1
CVE-2025-67729 was published for LMDeploy, where unsafe use of torch.load() could allow arbitrary code execution when loading malicious model checkpoint files. The vulnerability was fixed in LMDeploy 0.11.1, and users were advised not to load untrusted model files.
n8n discloses and patches Python Code Node sandbox escape in 2.0.0
CVE-2025-68668 was disclosed for n8n versions 1.0.0 up to but not including 2.0.0, where authenticated users with workflow permissions could escape the Pyodide-based Python Code Node sandbox and execute host commands. The issue was patched in version 2.0.0, with workarounds including disabling the Code Node or Python support.
Yealink T21P_E2 phone RCE vulnerability published
CVE-2025-66738 was disclosed for the Yealink T21P_E2 phone running firmware 52.84.0.15, allowing a remote attacker with normal privileges to execute arbitrary code through the diagnostic ping function. Recommended mitigations included firmware updates and restricting access to the diagnostic interface.
apidoc-core prototype pollution flaw disclosed with GitHub PoC
CVE-2025-13158 was published for apidoc-core from version 0.2.0 onward, describing a remotely exploitable prototype pollution issue in multiple worker modules via the define property. The disclosure noted GitHub proof-of-concept code and advised updating to a patched release.
IBM API Connect authentication bypass vulnerability published
CVE-2025-13915 was disclosed for IBM API Connect versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0, allowing remote attackers to bypass authentication and gain unauthorized access. IBM recommended applying fixed versions and verifying authentication controls.
Eaton discloses and fixes UPS Companion library authentication bypass
Eaton disclosed CVE-2025-59887 in its UPS Companion installer, where improper authentication of library files could enable arbitrary code execution through search order hijacking. Eaton released a patched version and published remediation guidance the same day.
Gitea fixes attachment file extension bypass in version 1.23.0
A high-severity vulnerability tracked as CVE-2025-68939 was disclosed for Gitea versions before 1.23.0, allowing attackers to bypass attachment file extension restrictions by editing attachment names. The issue was addressed in Gitea 1.23.0, and users were urged to upgrade.
UTT 512W buffer overflow flaw disclosed with public PoC
CVE-2025-15092 was published for UTT 进取 512W devices running firmware up to 1.7.7-171114, describing a remotely exploitable strcpy-based buffer overflow in /goform/ConfigExceptMSN via the remark argument. The disclosure noted public proof-of-concept exploits and recommended updating firmware beyond the affected version.
Cloudlog blind SQL injection vulnerability published as CVE-2024-44065
A critical unauthenticated time-based blind SQL injection flaw affecting Cloudlog 2.6.15 at /index.php/logbookadvanced/search via the qsoresults parameter was publicly disclosed. Public proof-of-concept code was available, and users were advised to update and harden input handling.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
CVE-2025-15137 - TRENDnet TEW-800MB NTPSyncWithHost.cgi sub_F934 command injection
cvefeed.io
Open sourceCVE-2025-15136 - TRENDnet TEW-800MB Management wizardset do_setWizard_asp command injection
cvefeed.io
Open sourceCVE-2025-14180 - NULL Pointer Dereference in PDO quoting
cvefeed.io
Open sourceCVE-2025-54322 - Xspeeder SXZOS Remote Code Execution Vulnerability
cvefeed.io
Open sourceCVE-2025-13915 - Authentication bypass in IBM API Connect
cvefeed.io
Open sourceCVE-2025-59887 - Eaton UPS Companion Library File Authentication Bypass
cvefeed.io
Open sourceCVE-2025-68939 - Gitea File Extension Bypass Vulnerability
cvefeed.io
Open sourceCVE-2025-15092 - UTT 进取 512W ConfigExceptMSN strcpy buffer overflow
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Platforms
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including workflow automation tools, web applications, network devices, and desktop software. Notable issues include remote code execution (RCE) flaws in *n8n*, *Lilac-Reloaded for Nagios*, *FileZilla Client*, and *AVideo*, as well as privilege escalation vulnerabilities in products like *Versa SASE Client*, *AspEmail*, and *ActFax*. Several vulnerabilities allow unauthenticated attackers to upload arbitrary files, bypass authentication, or exploit weak session management, potentially leading to full system compromise or unauthorized access to sensitive data. Many of these vulnerabilities have public exploits available, increasing the risk of active exploitation in the wild. Vendors have released patches for several of the affected products, and administrators are strongly advised to update to the latest versions or apply recommended mitigations. The vulnerabilities span a variety of attack vectors, including buffer overflows, improper input validation, insecure file upload mechanisms, and misconfigured authentication endpoints. Organizations should prioritize patching systems exposed to the internet and review access controls to limit the impact of potential exploitation. Immediate attention is warranted for products with critical CVSS scores and those with known public exploits.
Mar 21, 2026
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
Mar 21, 2026
Multiple Security Vulnerabilities Disclosed Across Major Software Platforms
Several major software vendors, including Mozilla, Node.js, SonicWall, Cisco, Google, Apple, Ubuntu, Red Hat, VMware, and TeamViewer, have disclosed security vulnerabilities affecting a wide range of products. These advisories highlight issues such as OS command injection in the Node.js `systeminformation` library, privilege escalation in SonicWall SMA1000, improper input validation in Cisco Secure Email Gateway, and multiple vulnerabilities in browsers like Firefox and Chrome. Additionally, Apple products, Epson printers, and TeamViewer DEX Client have been identified as having critical security flaws, with some advisories noting the potential for remote code execution or privilege escalation if left unpatched. Security agencies and vendors are urging users and administrators to review the relevant advisories and apply patches or mitigations as soon as possible. The vulnerabilities span operating systems (Linux kernel in Ubuntu and Red Hat), cloud and virtualization platforms (VMware Tanzu), and widely used remote access tools (TeamViewer). The breadth of affected products underscores the importance of timely updates and vigilance in monitoring official security channels for new disclosures and remediation guidance.
Mar 21, 2026