Karl.Fail

Tag: critical

  • CVE-2025-2332: PHP Object Injection Vulnerability in WordPress Export Plugin

    Overview

    A critical vulnerability has been identified in the WordPress plugin Export All Posts, Products, Orders, Refunds & Users, affecting all versions up to and including 2.13. Tracked as CVE-2025-2332, this flaw exposes sites to PHP Object Injection due to unsafe deserialization of user input within the returnMetaValueAsCustomerInput function.

    Technical Details

    The vulnerability stems from a lack of input validation when data is passed to the returnMetaValueAsCustomerInput function. Specifically, it deserializes untrusted user input, which creates a condition known as Deserialization of Untrusted Data (CWE-502).

    This vulnerability can allow unauthenticated attackers to inject PHP objects into the application. Although the vulnerable plugin does not contain a known POP chain (Property-Oriented Programming chain), the impact becomes critical if another plugin or theme on the same site introduces such a chain. In such cases, an attacker could:

    • Delete arbitrary files
    • Access sensitive information
    • Execute arbitrary code on the server

    Severity and CVSS Score

    According to CVSS v3.1, this vulnerability has been scored 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This score indicates:

    • Attack Vector (AV:N): Exploitable over the network
    • Attack Complexity (AC:L): Low complexity required
    • Privileges Required (PR:N): No authentication necessary
    • User Interaction (UI:N): No user interaction needed
    • Impact (C, I, A: H): High impact on confidentiality, integrity, and availability

    Impact Analysis

    By itself, CVE-2025-2332 cannot be exploited for arbitrary code execution due to the absence of a POP chain in the vulnerable plugin. However, in real-world environments where other plugins or themes introduce a POP chain, the potential damage becomes severe. This highlights the importance of defense-in-depth and avoiding unnecessary plugin installations.

    Mitigation and Recommendations

    • Update Immediately: Site administrators using versions ≤ 2.13 of this plugin should upgrade to a fixed version as soon as one is available.
    • Audit Plugins and Themes: Remove or replace any plugins or themes that may introduce exploitable POP chains.
    • Monitor Logs: Check for unexpected activity or unusual file changes.
    • Use Application Firewalls: Tools like Wordfence can help detect and block such injection attempts.

    References

    Credits

    This vulnerability was responsibly disclosed by Craig Smith.

  • Critical Cryptographic Weakness in WPS Office Enables Update Hijacking (CVE-2025-2516)

    Overview

    A critical vulnerability, identified as CVE-2025-2516, has been found in WPS Office for Windows by Kingsoft. The flaw stems from the use of a weak cryptographic key pair in the software’s signature verification process, which may allow attackers to sign malicious components as legitimate. This issue is further compounded by older WPS Office versions failing to validate the update server’s certificate, making it vulnerable to Adversary-In-The-Middle (AITM) attacks.

    Technical Details

    This vulnerability involves inadequate encryption strength, formally classified as CWE-326. The weak cryptographic key used for signature verification could be recovered through brute-force techniques. Once the private key is obtained, an attacker can generate valid-looking signed components and inject them into the software update mechanism.

    Older versions of WPS Office exacerbated this risk by not verifying the identity of the update server. This allowed attackers in a man-in-the-middle position to redirect users to malicious updates, fully compromising affected systems.

    CVSS and Severity

    Using the CVSS v4.0 scoring system, the vulnerability has been rated as Critical with a base score of 9.5. The vector string is:

    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Amber

    This reflects:

    • Attack is network-based
    • No privileges or user interaction required
    • High impact on confidentiality, integrity, and availability
    • High complexity due to key recovery requirement

    Attack Patterns

    The vulnerability aligns with several attack patterns:

    Real-World Exploitation

    This vulnerability has already been weaponized by a threat actor, underlining its severity and the urgency for remediation.

    Mitigation

    Users are advised to update WPS Office to the latest secure version and ensure that update processes validate server certificates. Organizations should also monitor for signs of tampered updates and verify the authenticity of software components.

    Further Information

    More insights are available in the detailed research by ESET: WeLiveSecurity Report.

    Conclusion

    CVE-2025-2516 is a reminder of the critical role cryptographic strength and secure update channels play in software integrity. Organizations should treat this vulnerability as high priority and respond accordingly to prevent potential exploitation.

  • Critical Authentication Bypass in U-Office Force (CVE-2025-2395)

    Overview

    A critical security vulnerability, CVE-2025-2395, has been identified in U-Office Force, a product developed by e-Excellence. This vulnerability allows unauthenticated remote attackers to gain administrative access by manipulating cookies and exploiting a vulnerable API endpoint. The flaw affects all versions prior to 28.0.

    Technical Details

    The root cause of the issue is the application’s reliance on cookies without proper validation and integrity checking, classified as CWE-565. Attackers can exploit this by forging or modifying session cookies, effectively bypassing authentication mechanisms and assuming the identity of privileged users.

    Once the attacker crafts a malicious request to a specific API endpoint and sets a tampered cookie, they can log in as an administrator without needing any credentials. This technique is categorized under the CAPEC-226: Session Credential Falsification through Manipulation attack pattern.

    CVSS and Severity

    The vulnerability has been rated Critical with a CVSS v3.1 base score of 9.8. The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This score reflects the following characteristics:

    • Attack is possible over the network
    • Requires no privileges or user interaction
    • Leads to high impact on confidentiality, integrity, and availability

    Impact

    Successful exploitation could allow full administrative control over the affected system. Attackers could access sensitive information, manipulate configurations, install malicious code, or disrupt services—posing a severe risk to organizational security and operations.

    Mitigation

    Users of U-Office Force are strongly advised to upgrade to version 28.0 or later, which addresses this vulnerability. Organizations should also audit any suspicious authentication events and enhance session validation mechanisms as a precaution.

    Additional Information

    More details about this vulnerability and updates are available via the following resources:

    Conclusion

    CVE-2025-2395 is a reminder of the dangers posed by weak authentication practices. Developers and system administrators must implement rigorous validation for session credentials to prevent unauthorized access and protect sensitive systems from exploitation.

  • Critical Authentication Bypass in BuddyBoss Platform Pro (CVE-2025-1909)

    Overview

    A critical vulnerability has been discovered in the BuddyBoss Platform Pro plugin for WordPress, affecting all versions up to and including 2.7.01. This flaw, tracked as CVE-2025-1909, allows unauthenticated attackers to bypass authentication and log in as any existing user, including administrators, via the Apple OAuth provider.

    Technical Details

    The vulnerability arises due to insufficient verification of the user identity during the Apple OAuth authentication process. When a login request is made through this provider, the plugin fails to properly confirm the authenticity of the user information. This oversight enables attackers who know the email address of an existing user to craft a malicious request and gain unauthorized access.

    This issue is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel.

    CVSS and Severity

    According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability has a base score of 9.8, making it Critical in severity. The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This indicates that:

    • The attack is network-based
    • No privileges are required
    • No user interaction is needed
    • Impact is high on confidentiality, integrity, and availability

    Impact

    Successful exploitation means attackers can impersonate site users, including administrators, leading to complete control over the WordPress site. This includes access to sensitive data, ability to install malicious plugins or themes, and potential full site compromise.

    Mitigation

    Site administrators are urged to update BuddyBoss Platform Pro to the latest available version immediately. As of the publication date, version 2.7.10 includes the necessary fix.

    If updating is not immediately possible, consider temporarily disabling Apple OAuth login functionality until the update can be applied.

    Discovery and Disclosure

    This vulnerability was discovered by István Márton and responsibly disclosed to the vendor on March 3, 2025. The issue was publicly disclosed on May 5, 2025. For more technical information, see the Wordfence advisory.

    Conclusion

    CVE-2025-1909 highlights the importance of rigorous identity validation in third-party authentication mechanisms. Website owners using BuddyBoss Platform Pro should take immediate action to mitigate potential exploitation and protect user accounts from unauthorized access.

  • Critical RCE Vulnerability in Kubernetes ingress-nginx (CVE-2025-1974)

    Overview

    A critical security vulnerability has been identified in the Kubernetes ingress-nginx controller, tracked as CVE-2025-1974. This vulnerability allows unauthenticated attackers with access to the pod network to achieve Remote Code Execution (RCE) within the context of the ingress-nginx controller, potentially leading to the disclosure of Kubernetes Secrets across the cluster.

    Technical Details

    The vulnerability stems from the Validating Admission Controller module in the ingress-nginx project. Under certain misconfigured conditions, it is possible for an attacker to inject and execute arbitrary code through this admission controller if they can reach the controller from within the pod network.

    The affected versions include:

    • All versions up to 1.11.4
    • 1.12.0

    This issue was caused by improper isolation or compartmentalization, which corresponds to CWE-653. The underlying attack pattern matches CAPEC-251: Local Code Inclusion.

    CVSS and Severity

    According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability has been assigned a base score of 9.8, indicating a Critical severity level. The vector string is as follows:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This means that the attack is:

    • Remotely exploitable over the network
    • Requires no user interaction
    • Requires no privileges
    • Results in high impact to confidentiality, integrity, and availability

    Impact and Risks

    If exploited, attackers may gain the ability to run arbitrary commands in the controller’s context. Since ingress-nginx controllers commonly have access to all cluster Secrets by default, this could lead to severe data leakage, credential theft, and cluster-wide compromise.

    Security researchers Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson were credited with discovering this issue. It was also assessed under the CISA SSVC framework as having:

    • Proof of Concept (PoC) exploitation
    • Automatable potential
    • Total technical impact

    Mitigation and Workaround

    Before applying the official patch, system administrators can mitigate this vulnerability by disabling the Validating Admission Controller in ingress-nginx. However, this may affect some admission control policies, so review your cluster’s configuration accordingly.

    To disable the controller, modify the deployment to remove or comment out the relevant webhook configurations. More details are available on the Kubernetes GitHub issue: GitHub Issue 131009.

    Conclusion

    CVE-2025-1974 highlights the importance of strict isolation and privilege boundaries within Kubernetes controllers. Administrators using ingress-nginx should update to a patched version as soon as it becomes available, and review network access controls within their clusters.

  • CVE-2025-29814: Critical Privilege Escalation in Microsoft Partner Center

    Overview

    On March 21, 2025, Microsoft disclosed a critical security vulnerability identified as CVE-2025-29814 in the Microsoft Partner Center. This flaw allows an authorized attacker to escalate privileges across a network due to improper authorization mechanisms.

    The issue has been categorized under CWE-20: Improper Input Validation. It carries a CVSS 3.1 base score of 9.3, classifying it as a critical vulnerability.

    What is Microsoft Partner Center?

    The Microsoft Partner Center is an administrative platform for managing partner relationships, customer subscriptions, and billing across Microsoft services. It serves as a central hub for service provisioning, making it a high-value target for attackers seeking to exploit privilege escalation weaknesses.

    Technical Details

    The vulnerability stems from improper authorization validation in the Microsoft Partner Center API. While exact implementation details are not public, Microsoft has confirmed that an attacker with basic access rights can exploit the flaw to gain elevated privileges on the system. This allows for actions typically reserved for higher-privilege accounts, such as administrative functions.

    • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
    • Severity: Critical (9.3)
    • Attack Vector: Network
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
    • Impact: High on integrity and availability

    Understanding CVSS 3.1 Metrics

    The CVSS (Common Vulnerability Scoring System) is a framework used to assess the severity of software vulnerabilities. This CVE’s high score of 9.3 indicates significant potential for damage if exploited, especially considering the ease of exploitation (low complexity) and the absence of required privileges.

    Security Classification: CWE-20

    CWE-20 refers to Improper Input Validation, where an application does not properly check the inputs it receives. In this case, failure to validate authorization credentials allows privilege escalation. This is a common and dangerous class of vulnerability due to its potential to affect system-wide security.

    Exploitation Status and Impact

    According to CISA’s SSVC (Stakeholder-Specific Vulnerability Categorization), exploitation of this vulnerability had not been observed at the time of disclosure. However, the technical impact is rated as total, emphasizing the urgency for mitigation.

    While the flaw is in a cloud-hosted platform, system administrators and partners relying on Microsoft Partner Center should apply any available patches or mitigations immediately and audit account activity for suspicious behavior.

    Mitigation and Recommendations

    • Follow Microsoft’s official advisory for updates: CVE-2025-29814 Advisory
    • Enable monitoring and alerting on all administrative activity
    • Review user access privileges and implement the principle of least privilege
    • Apply available patches or updates provided by Microsoft

    Conclusion

    CVE-2025-29814 highlights the critical importance of proper authorization in cloud service platforms. The potential for widespread privilege escalation demands immediate attention from affected organizations. Stay vigilant and prioritize timely updates and access control reviews.

  • CVE-2025-47284: Critical Privilege Escalation in Gardener via Metadata Injection

    Overview

    On May 19, 2025, a critical security vulnerability was published under the identifier CVE-2025-47284, affecting the Gardener project—a tool used for the automated management of Kubernetes clusters as a service. The issue resides in the gardenlet component and poses a serious risk of privilege escalation due to improper handling of metadata injection.

    What is Gardener?

    Gardener is an open-source project developed by SAP that provides Kubernetes-as-a-Service by automating the provisioning and operation of Kubernetes clusters. It uses a control plane for each managed cluster and supports multi-cloud environments. A component called gardenlet is deployed on seed clusters to manage shoot clusters on behalf of users.

    Vulnerability Details

    The vulnerability arises from improper neutralization of escape, meta, or control sequences, classified as CWE-150. Specifically, metadata injection into project secrets can be exploited by an attacker with administrative privileges over a Gardener project. This enables the attacker to escalate their privileges and gain control over the seed clusters that host the shoot clusters for that project.

    All Gardener installations using the gardener/gardener-extension-provider-gcp module are affected.

    Technical Impact

    • CVSS v3.0 Score: 9.9 (Critical)
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, and Availability Impact: High

    The vulnerability can be exploited remotely over the network and requires only low-level privileges within the Gardener project. No user interaction is required. Once exploited, the attacker can manipulate critical cluster management operations and compromise the integrity and availability of managed Kubernetes environments.

    Affected Versions

    • Gardener versions < 1.116.4
    • Gardener 1.117.0 to < 1.117.5
    • Gardener 1.118.0 to < 1.118.2

    Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 contain patches addressing this issue.

    Mitigation

    It is strongly recommended that users upgrade to the latest patched versions of Gardener as listed above. Immediate action is required for any deployments using the vulnerable gardener-extension-provider-gcp module.

    Conclusion

    CVE-2025-47284 underscores the importance of secure metadata handling in cloud-native platforms. With a near-maximum CVSS score and the potential for full cluster compromise, this flaw should be addressed promptly by all affected users. For more details, refer to the GitHub security advisory.

  • CVE-2025-47283: Critical Privilege Escalation in Gardener Kubernetes Management

    Overview

    On May 19, 2025, a critical vulnerability was disclosed in the Gardener Kubernetes cluster management platform. Identified as CVE-2025-47283, the flaw permits privilege escalation by bypassing project secret validation, potentially allowing a project administrator to gain unauthorized access to the seed cluster(s) responsible for managing shoot clusters.

    This vulnerability is tracked under GHSA-3hw7-qj9h-r835 and has been rated as Critical with a CVSS v3.0 base score of 9.9.

    Technical Details

    The vulnerability stems from improper input validation, categorized under CWE-20: Improper Input Validation. This means that user-supplied data is not properly checked before being processed, allowing potentially malicious input to influence system behavior.

    In the context of Gardener, an administrative user within a project could manipulate secrets associated with their cluster to influence the behavior of the gardenlet component running on the seed cluster. This manipulation enables them to elevate privileges and execute operations outside their intended scope.

    Impact

    This flaw impacts all Gardener installations regardless of the public cloud provider used for the seed or shoot clusters. Exploitation could allow:

    • Unauthorized control over seed clusters
    • Compromise of other tenant clusters
    • Loss of confidentiality, integrity, and availability within the Kubernetes management infrastructure

    The vulnerability has a Changed Scope in the CVSS vector, indicating that an attacker’s access could impact components beyond the initially vulnerable system.

    Affected Versions

    The following versions of gardener/gardener are affected:

    • All versions prior to 1.116.4
    • Versions 1.117.0 through 1.117.4
    • Versions 1.118.0 through 1.118.1

    Mitigation

    Users are strongly advised to upgrade to one of the following patched versions:

    • 1.116.4
    • 1.117.5
    • 1.118.2
    • 1.119.0 or later

    Upgrading ensures that project secret validation is enforced correctly, preventing unauthorized privilege escalation within the system.

    Understanding the Terms

    Gardener is an open-source project developed by SAP that enables the automated management of Kubernetes clusters at scale. It introduces the concept of shoot clusters (end-user Kubernetes clusters) and seed clusters (infrastructure clusters that host shoot clusters).

    CVSS (Common Vulnerability Scoring System) provides a numerical score to indicate the severity of a vulnerability. A score of 9.9 indicates an extremely high risk, especially when no user interaction is required and the attack can be performed remotely.

    CWE-20 represents a category of vulnerabilities arising from improper input validation, a common flaw that can lead to injection, escalation, or arbitrary code execution.

    Conclusion

    CVE-2025-47283 highlights the importance of strict input validation and the risks posed by misconfigured secrets in Kubernetes management platforms. Organizations using Gardener should patch immediately and review their cluster access policies to ensure secure multi-tenancy.