Karl.Fail

Tag: critical

  • CVE-2025-22224: Critical TOCTOU Vulnerability in VMware ESXi and Workstation

    Critical TOCTOU Vulnerability Discovered in VMware ESXi and Workstation

    On March 4, 2025, VMware disclosed a high-impact vulnerability tracked as CVE-2025-22224, affecting multiple versions of VMware ESXi, Workstation, VMware Cloud Foundation, and Telco Cloud Platform. The vulnerability arises from a Time-of-Check Time-of-Use (TOCTOU) race condition that results in an out-of-bounds write vulnerability. This allows local attackers with administrative privileges within a virtual machine to execute code on the host system.

    Understanding TOCTOU and the Vulnerability

    TOCTOU (Time-of-Check Time-of-Use) is a type of race condition where a system checks a resource for safety, but conditions change before the resource is used. This can be exploited to gain unauthorized access or modify memory in unsafe ways.

    In this case, the TOCTOU flaw leads to a heap overflow, allowing an attacker with local administrative privileges inside a virtual machine to cause an out-of-bounds write. The payload executes as the virtual machine’s VMX process—potentially compromising the host itself.

    CVSS Details

    The vulnerability has a CVSS v3.1 base score of 9.3 (CRITICAL), with the following vector:

    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    This breakdown highlights the seriousness of the issue:

    • Attack Vector: Local – requires access to the VM
    • Attack Complexity: Low
    • Privileges Required: None (within guest VM)
    • User Interaction: None
    • Scope: Changed – host compromise from guest
    • Impact on Confidentiality, Integrity, and Availability: High

    Affected Products and Versions

    The following VMware products are affected:

    • ESXi 7.0 versions before 7.0U3s-24585291
    • ESXi 8.0 versions before 8.0U2d-24585300 and 8.0U3d-24585383
    • Workstation 17.x versions before 17.6.3
    • VMware Cloud Foundation 5.x and 4.5.x
    • Telco Cloud Platform 5.x, 4.x, 3.x, 2.x
    • Telco Cloud Infrastructure 3.x, 2.x

    Exploitation and Mitigation

    According to CISA’s Known Exploited Vulnerabilities (KEV) catalog, active exploitation is ongoing. Organizations must act urgently to:

    • Apply the latest VMware patches
    • Limit administrative access on guest VMs
    • Isolate high-risk workloads

    No user interaction is needed for exploitation, and the attack does not require elevated guest privileges, increasing its risk in shared environments.

    Conclusion

    CVE-2025-22224 is a severe vulnerability with real-world exploitation, underlining the importance of securing hypervisor environments. VMware users should immediately verify their systems and apply vendor-recommended updates.

    References

  • CVE-2025-22248: Unauthenticated Access via Default Pgpool Configuration in Bitnami PostgreSQL Deployments

    Critical Default Configuration Vulnerability in Bitnami Pgpool and Postgres-HA

    On May 13, 2025, a critical vulnerability identified as CVE-2025-22248 was disclosed, affecting Bitnami’s pgpool Docker image and the bitnami/postgres-ha Kubernetes Helm chart. This flaw permits unauthenticated access to PostgreSQL databases due to insecure default user settings.

    Understanding the Vulnerability

    The issue stems from the inclusion of a user account named repmgr, configured by default without authentication controls. This account is intended for internal streaming replication checks by Pgpool, controlled via the PGPOOL_SR_CHECK_USER setting.

    However, in affected configurations, this user is set to a trust level that does not require authentication. If Pgpool is exposed to external networks, an attacker could exploit this configuration to:

    • Access the PostgreSQL database without authentication
    • Potentially compromise data confidentiality, integrity, and availability

    CVSS 4.0 Score and Impact

    This vulnerability has been rated CRITICAL with a CVSS v4.0 base score of 9.4. The vector string is:

    CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

    The scoring details reveal:

    • Attack Vector: Adjacent network (e.g., same Kubernetes cluster)
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality/Integrity/Availability Impact: High

    This configuration flaw exemplifies CWE-1188: Initialization of a Resource with an Insecure Default, which refers to the use of weak or unsafe defaults in software deployments.

    Affected Versions

    The following Bitnami components are impacted:

    • bitnami/pgpool versions prior to 4.6.0-debian-12-r8
    • bitnami/postgres-ha versions prior to 16.0.0

    These defaults are present in both Docker and Kubernetes Helm chart deployments.

    Remediation

    Organizations using affected versions should:

    • Update to the latest fixed versions of pgpool and postgres-ha
    • Audit and secure all default database users
    • Restrict external exposure of Pgpool where unnecessary

    Bitnami has provided updated packages and advisories through their GitHub repository.

    Conclusion

    CVE-2025-22248 is a strong reminder of the dangers posed by insecure default configurations, especially in cloud-native environments. Administrators must not rely on default security settings and should proactively review deployment parameters to reduce risk.

    References

  • CVE-2025-20125: Cisco Identity Services Engine API Authorization Bypass Vulnerability

    Cisco ISE API Authorization Bypass: A Critical Vulnerability

    On February 5, 2025, Cisco published details of a critical vulnerability, identified as CVE-2025-20125, affecting multiple versions of the Cisco Identity Services Engine (ISE) and its Passive Identity Connector. This flaw exposes systems to unauthorized changes, even when attackers possess only read-only administrative credentials.

    Understanding the Vulnerability

    This vulnerability arises from improper authorization checks (categorized under CWE-285) within a specific API endpoint of Cisco ISE. Affected systems do not correctly validate user permissions, allowing low-privilege users to:

    • Access sensitive information
    • Modify system configurations
    • Restart the device

    The root causes include:

    • Insufficient authorization enforcement
    • Improper validation of user-supplied input

    Even though an attacker must have valid read-only credentials, exploitation can result in severe consequences, especially in single-node deployments where authentication services are disrupted during a system reload.

    CVSS Score and Technical Impact

    This vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL), calculated from the following vector string:

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

    This scoring reflects the following attributes:

    • Attack Vector (AV): Network – remotely exploitable
    • Attack Complexity (AC): Low – requires minimal effort
    • Privileges Required (PR): Low – read-only access is sufficient
    • User Interaction (UI): None – no user action required
    • Scope: Changed – impacts resources beyond the vulnerable component
    • Confidentiality/Integrity Impact: Low
    • Availability Impact: High – device reloads can disrupt services

    Affected Versions

    The vulnerability affects a wide range of Cisco ISE software versions from 2.7.0 patch 8 to 3.3.0 and various patches. The Passive Identity Connector for versions 3.0.0 to 3.3.0 is also impacted. For a complete list, refer to the official advisory linked below.

    Mitigation and Remediation

    Cisco has released security advisories and encourages all users to upgrade to fixed software versions. No workarounds are currently available. Organizations should:

    • Restrict access to the vulnerable API endpoints
    • Regularly audit privilege levels for administrative users
    • Monitor systems for abnormal configuration changes

    Public Disclosure and Exploitation

    As of publication, no public exploitation or active attacks have been reported. However, due to the vulnerability’s severity and scope, timely patching is critical.

    References

    Conclusion

    CVE-2025-20125 highlights the importance of robust authorization mechanisms in API design. Even with restricted credentials, attackers can severely compromise enterprise infrastructure if backend validations are insufficient. Cisco users are strongly urged to verify their software versions and apply the necessary patches immediately.

  • CVE-2025-20156: Critical Privilege Escalation in Cisco Meeting Management REST API

    Overview

    CVE-2025-20156 identifies a critical vulnerability in the Cisco Meeting Management (CMM) application, affecting multiple versions from 2.9.0 through 3.9.0. The vulnerability lies in the REST API, which fails to enforce proper authorization controls, enabling low-privileged users to escalate their privileges to administrator.

    Technical Details

    This flaw is classified under CWE-274: Improper Handling of Insufficient Privileges. A remote, authenticated attacker with low-level access can send crafted API requests to a specific endpoint. Due to insufficient authorization enforcement, these requests are incorrectly processed, granting elevated access rights.

    With administrator-level control, an attacker can take over edge nodes managed by Cisco Meeting Management, potentially compromising the confidentiality, integrity, and availability of sensitive communication systems.

    CVSS Score and Severity

    The vulnerability has a CVSS v3.1 base score of 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Impact: High on confidentiality, integrity, and availability

    Impact

    Successful exploitation of this vulnerability enables an attacker to:

    • Gain full administrative privileges
    • Control system configurations and user access
    • Access or manipulate sensitive meeting data
    • Potentially pivot to other internal systems managed through CMM

    Given the high impact and network accessibility, this vulnerability poses a significant risk to enterprise environments relying on Cisco Meeting Management.

    Mitigation

    • Apply Cisco’s patches for all affected versions as outlined in their advisory.
    • Review and restrict API access using network segmentation and access control lists (ACLs).
    • Monitor logs for unusual REST API calls or privilege escalation attempts.

    References

  • CVE-2025-20188: Critical File Upload and Command Execution Vulnerability in Cisco IOS XE

    Overview

    CVE-2025-20188 discloses a critical vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software running on Wireless LAN Controllers (WLCs). This flaw allows unauthenticated, remote attackers to upload arbitrary files and execute commands with root privileges.

    Technical Details

    The root cause is the use of a hard-coded JSON Web Token (JWT) within the affected software. This credential grants unauthorized access to the AP image download interface. By crafting specific HTTPS requests, attackers can:

    • Upload arbitrary files
    • Perform path traversal
    • Execute arbitrary commands as the root user

    The vulnerable feature is not enabled by default, but if it is activated, the threat surface expands significantly for affected systems.

    Vulnerable Versions

    Affected versions of Cisco IOS XE Software include but are not limited to:

    • 17.7.1 through 17.14.1
    • 17.10.1b, 17.11.99SW, and several patch releases in between

    CVSS Score and Severity

    This vulnerability carries a CVSS v3.1 base score of 10.0, the highest possible rating, indicating full compromise potential. Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
    • Impact: High confidentiality, integrity, and availability

    Impact

    A successful exploit allows complete system compromise, including the ability to upload and execute malicious payloads. Given that no authentication is required, the vulnerability poses a major risk, particularly in environments where the Out-of-Band AP Image Download feature is enabled.

    Mitigation and Recommendations

    • Disable the affected feature if not in use.
    • Apply Cisco patches as referenced in the official advisory.
    • Restrict external access to management interfaces via firewall rules.
    • Monitor logs for suspicious file upload or command activity.

    References

  • CVE-2025-20124: Critical Java Deserialization Vulnerability in Cisco ISE

    Overview

    CVE-2025-20124 discloses a critical vulnerability in Cisco Identity Services Engine (ISE), affecting multiple versions including 2.7.0 patch 8 through 3.3 patch 3. This flaw stems from insecure deserialization of Java objects in an exposed API, allowing authenticated remote attackers to execute commands with root privileges.

    Technical Details

    This vulnerability is classified under CWE-502: Deserialization of Untrusted Data. Cisco ISE fails to safely deserialize user-supplied Java byte streams received through a specific API endpoint. By submitting a crafted serialized Java object, an attacker with valid read-only administrative credentials can trigger arbitrary command execution and escalate privileges to root on the affected device.

    Though authentication is required, the low privileges needed and remote accessibility make this flaw particularly dangerous in multi-node or enterprise deployments.

    CVSS Score and Severity

    The vulnerability is rated as CRITICAL with a CVSS v3.1 base score of 9.9. Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H. Breakdown:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Impact: High integrity and availability, low confidentiality

    Impact

    Successful exploitation can allow attackers to:

    • Execute arbitrary system commands as root
    • Gain full control of the affected device
    • Disrupt authentication services in single-node deployments

    No public exploitation has been reported at this time, but the severity and nature of the vulnerability call for immediate attention.

    Mitigation

    • Apply security updates provided by Cisco as outlined in their advisory.
    • Restrict access to Cisco ISE management APIs using firewall rules and access control.
    • Monitor system logs for anomalous API requests or process behavior.

    References

  • CVE-2025-26763: PHP Object Injection in MetaSlider Plugin for WordPress

    Overview

    CVE-2025-26763 discloses a critical vulnerability in the popular Responsive Slider by MetaSlider WordPress plugin, affecting all versions up to and including 3.94.0. This issue permits PHP Object Injection via deserialization of untrusted data, exposing affected websites to potential code execution and full system compromise.

    Technical Details

    The vulnerability is categorized under CWE-502: Deserialization of Untrusted Data. In affected versions, insufficient validation when handling serialized data allows attackers to inject specially crafted objects. These objects can manipulate application behavior or trigger execution paths leading to arbitrary code execution, depending on the availability of a Property-Oriented Programming (POP) chain.

    The vulnerable code path does not require authentication or user interaction, making exploitation feasible via network-based attacks.

    Severity and CVSS Score

    This vulnerability is rated as Critical with a CVSS v3.1 base score of 9.8. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    Impact

    If exploited, this vulnerability may allow attackers to:

    • Execute arbitrary PHP code on the server
    • Access or modify sensitive data
    • Disrupt website functionality or availability

    The severity is compounded by the plugin’s widespread usage in WordPress sites and the unauthenticated nature of the attack vector.

    Mitigation

    • Update Immediately: Upgrade to MetaSlider version 3.95.0 or later.
    • Monitor for Indicators of Compromise: Review server logs and file integrity for any suspicious activity.
    • Restrict Unnecessary Plugin Use: Deactivate or remove unused plugins to reduce attack surface.

    References

    Credits

    Thanks to Le Ngoc Anh (Patchstack Alliance) for responsibly reporting this vulnerability.

  • CVE-2025-26692: Path Traversal Vulnerability in SIOS Quick Agent

    Overview

    CVE-2025-26692 identifies a critical security vulnerability affecting SIOS Quick Agent V2 and V3. Specifically, Quick Agent V3 versions prior to 3.2.1 and Quick Agent V2 versions prior to 2.9.8 are affected. This vulnerability involves improper limitation of a pathname to a restricted directory, commonly known as a Path Traversal issue.

    Technical Details

    The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. Affected versions fail to adequately validate file paths, allowing remote unauthenticated attackers to traverse directories and access files outside the intended root directory. If exploited, this can result in the execution of arbitrary code with Windows system privileges.

    Because the software runs with elevated permissions, successful exploitation could allow complete system compromise, depending on the attacker’s ability to control or manipulate uploaded file paths.

    Severity and CVSS Scores

    This vulnerability has received the following CVSS ratings:

    • CVSS v3.0: 8.1 (High) – CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    • CVSS v4.0: 9.2 (Critical) – CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

    These scores reflect the seriousness of the issue, highlighting its remote exploitability, lack of required user interaction, and the high impact on confidentiality, integrity, and availability.

    Potential Impact

    If left unpatched, this vulnerability could allow attackers to:

    • Read or modify sensitive system files
    • Install and execute malicious programs
    • Fully compromise affected systems

    The risk is elevated due to the lack of authentication needed and the ability to exploit the issue over a network.

    Mitigation

    • Upgrade to: Quick Agent V3 version 3.2.1 or later, and Quick Agent V2 version 2.9.8 or later.
    • Restrict network access: Ensure that only trusted systems can reach the agent endpoints.
    • Monitor system logs: Look for abnormal file access patterns or unexpected file executions.

    References

  • CVE-2025-2780: Critical File Upload Vulnerability in Woffice Core Plugin

    Overview

    A critical vulnerability has been identified in the Woffice Core plugin for WordPress, affecting all versions up to and including 5.4.21. Tracked as CVE-2025-2780, this flaw enables authenticated users with Subscriber-level access or higher to upload arbitrary files to the server due to missing file type validation in the saveFeaturedImage function.

    Technical Details

    The issue arises from the lack of proper file type validation, which permits users with minimal privileges to upload files of any type. Classified under CWE-434: Unrestricted Upload of File with Dangerous Type, this vulnerability can be exploited to upload executable scripts that may lead to remote code execution (RCE) on the hosting server.

    The vulnerable function, saveFeaturedImage, fails to restrict file MIME types or sanitize file content. This creates an opportunity for threat actors to upload malicious payloads disguised as images or documents.

    Severity and CVSS Score

    This vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This score reflects:

    • Network-based attack vector
    • Low complexity
    • No user interaction required
    • High impact on confidentiality, integrity, and availability

    Potential Impact

    Authenticated users, including Subscribers, could upload files that execute arbitrary code. This opens the door to complete server takeover, data theft, or lateral movement within the hosting environment. Since the attack can be automated, it represents a significant threat for any site using the vulnerable plugin version.

    Mitigation and Recommendations

    • Update Immediately: Upgrade to Woffice Core version 5.4.22 or later.
    • Restrict File Uploads: Use application-layer firewalls or additional plugins to limit file upload types.
    • Monitor Logs: Review recent uploads and access logs for suspicious activity.
    • Review User Roles: Ensure only necessary users have upload permissions.

    References

    Credits

    This vulnerability was responsibly disclosed by Friderika Baranyai.

  • CVE-2025-2798: Critical Authentication Bypass in Woffice CRM WordPress Theme

    Overview

    A critical security vulnerability has been discovered in the Woffice CRM WordPress theme, affecting all versions up to and including 5.4.21. Tracked as CVE-2025-2798, this flaw allows unauthenticated users to gain Administrator-level access through a misconfiguration in the user registration process.

    Technical Details

    The vulnerability is rooted in improper privilege management (CWE-269). Specifically, a misconfiguration involving excluded roles during registration enables attackers to exploit custom login forms. If these forms are in use, unauthenticated users may register accounts with Administrator privileges.

    Even more concerning, this issue can be compounded when combined with CVE-2025-2797, which may allow bypassing the user approval process if an Administrator is tricked into taking certain actions, such as clicking a malicious link.

    Severity and CVSS Score

    This vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This means:

    • Attack Vector: Network-based
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    Impact

    The ability for unauthenticated users to register as Administrators poses a severe threat. Attackers could fully compromise the site by gaining control over its administrative features. The combination with other vulnerabilities further increases the risk, potentially enabling full site takeover with little to no user interaction.

    Mitigation Steps

    • Update Immediately: Upgrade to version 5.4.22 or later of the Woffice CRM theme.
    • Audit Custom Login Forms: Review and secure any custom user registration forms in use.
    • Review User Roles: Check for any suspicious administrator accounts created recently.
    • Educate Administrators: Train site admins to avoid clicking unknown or suspicious links.

    References

    Credits

    Thanks to Friderika Baranyai for responsibly disclosing this issue.