Karl.Fail

Tag: score:9.8

  • CVE-2025-21307: Critical Remote Code Execution in Windows RMCAST Driver

    Overview

    On January 14, 2025, Microsoft disclosed CVE-2025-21307, a critical vulnerability in the Windows Reliable Multicast Transport (RMCAST) driver that enables remote code execution. With a CVSS v3.1 base score of 9.8, this vulnerability poses a severe threat to numerous supported and legacy Windows systems.

    Technical Details

    The issue stems from a Use After Free vulnerability, classified as CWE-416. This occurs when a program continues to use a pointer after it has been freed, allowing an attacker to exploit the dangling pointer to execute arbitrary code within the kernel space. Given that RMCAST operates at a low-level networking layer, this provides an attacker significant control over system behavior once exploited.

    The vulnerability affects a wide range of Windows versions, including:

    • Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
    • Windows 11 (versions 22H2, 23H2, 24H2)
    • Windows Server (2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2025)

    Exploitation does not require authentication or user interaction, and the attack can be carried out over the network, making it highly dangerous in unsegmented or exposed environments.

    Impact

    According to the CVSS v3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), this vulnerability allows:

    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

    The vulnerability is not known to be exploited in the wild at the time of disclosure, and Microsoft has issued updates to remediate the issue. The CISA SSVC analysis classified this flaw as having a total technical impact with the potential for automated exploitation, emphasizing the urgency for mitigation.

    Mitigation and Recommendations

    Microsoft has released patches through its regular update channels. All affected systems should be updated immediately to versions beyond:

    • 10.0.17763.6775 (Windows 10 Version 1809)
    • 10.0.20348.3091 (Windows Server 2022)
    • 10.0.22621.4751 (Windows 11 22H2)

    System administrators are encouraged to:

    • Deploy patches as soon as possible.
    • Use network segmentation and firewalls to reduce the attack surface.
    • Audit multicast traffic and disable RMCAST if not in use.

    Conclusion

    CVE-2025-21307 represents a serious risk due to its low complexity, remote exploitability, and severe impact. With broad applicability across many supported and end-of-life systems, proactive patching is essential. Organizations should prioritize this vulnerability and monitor vendor advisories for ongoing updates.

    For further information, visit the official Microsoft advisory.

  • Critical Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298)

    Overview

    CVE-2025-21298 is a critical vulnerability in Microsoft Windows related to the Object Linking and Embedding (OLE) technology. The flaw enables remote code execution (RCE) through a ‘use-after-free’ condition, classified under CWE-416. This vulnerability impacts a wide range of Windows operating systems and server editions, making it one of the most severe security issues addressed in early 2025.

    Technical Details

    The root cause of this vulnerability lies in improper memory management during the handling of OLE objects. An attacker can exploit a use-after-free error to execute arbitrary code in the context of the user running the affected application. The attack vector is remote and does not require prior authentication or user interaction.

    The vulnerability is identified by the following CVSS v3.1 vector:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Base Score: 9.8 (Critical)
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    Affected Systems

    This vulnerability affects a broad set of Windows versions, including:

    • Windows 10 (various builds from 1507 to 22H2)
    • Windows 11 (22H2, 23H2, 24H2)
    • Windows Server (2008 SP2, 2012, 2016, 2019, 2022, 2025)

    Mitigation and Recommendations

    • Apply security updates released in the January 2025 Patch Tuesday immediately.
    • Restrict OLE functionality where not needed, especially in environments handling untrusted content.
    • Monitor systems for signs of exploitation, particularly for abnormal memory access patterns or unexpected OLE behaviors.

    Conclusion

    CVE-2025-21298 demonstrates the persistent threat of memory safety vulnerabilities in complex, legacy components like OLE. Organizations must apply updates promptly and evaluate mitigation controls for high-risk environments.

    For more details, see the official Microsoft advisory: MSRC: CVE-2025-21298

  • Critical Remote Takeover Vulnerability in JD Edwards EnterpriseOne Tools (CVE-2025-21524)

    Overview

    CVE-2025-21524 is a critical vulnerability discovered in Oracle’s JD Edwards EnterpriseOne Tools, specifically in the Monitoring and Diagnostics SEC component. This flaw allows unauthenticated attackers with network access via HTTP to completely compromise affected systems.

    Technical Details

    The vulnerability is rooted in missing authentication checks for critical functions, as classified under CWE-306: Missing Authentication for Critical Function. An attacker can exploit the issue by sending crafted HTTP requests to the application without requiring any user credentials or interaction.

    Once exploited, the attacker gains full control over JD Edwards EnterpriseOne Tools, including the ability to manipulate data, access sensitive information, and disrupt business operations through service compromise.

    Severity and CVSS

    The vulnerability has been assessed with a CVSS v3.1 base score of 9.8 (Critical). The associated vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality, Integrity, and Availability Impact: High

    This configuration indicates the vulnerability is easily exploitable and highly impactful, making it an urgent risk for organizations running affected systems.

    Affected Versions

    All versions of JD Edwards EnterpriseOne Tools prior to 9.2.9.0 are impacted by this vulnerability.

    Mitigation and Recommendations

    • Upgrade to version 9.2.9.0 or later immediately.
    • Ensure HTTP access to JD Edwards environments is restricted to trusted networks.
    • Review system logs and configurations for signs of exploitation or abnormal behavior.
    • Conduct a broader security audit of exposure points in JD Edwards deployments.

    Conclusion

    CVE-2025-21524 highlights the dangers of missing authentication mechanisms in critical enterprise software. Oracle has addressed the issue in its January 2025 Critical Patch Update. Organizations using JD Edwards must prioritize this update to protect their environments from full system compromise.

    For official details, refer to Oracle’s advisory: Oracle CPU January 2025

  • Critical Remote Takeover Vulnerability in Oracle WebLogic Server (CVE-2025-21535)

    Overview

    CVE-2025-21535 is a critical vulnerability impacting Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw allows unauthenticated attackers with network access via T3 or IIOP protocols to fully compromise vulnerable systems without user interaction.

    Technical Details

    This vulnerability resides in the Core component of WebLogic Server and is categorized under CWE-306: Missing Authentication for Critical Function. The issue enables attackers to send specially crafted requests to execute arbitrary operations on the server, resulting in complete system takeover.

    The attack does not require credentials or any user interaction. Exploitation is possible over the network, making this vulnerability especially dangerous in exposed environments or misconfigured systems.

    CVSS Score and Severity

    The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical). The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High on confidentiality, integrity, and availability

    Affected Versions

    • Oracle WebLogic Server 12.2.1.4.0
    • Oracle WebLogic Server 14.1.1.0.0

    Both versions are vulnerable and require immediate remediation.

    Mitigation and Recommendations

    • Apply the patches provided in Oracle’s January 2025 Critical Patch Update (CPU) without delay.
    • Restrict external access to T3 and IIOP protocols at the network perimeter.
    • Monitor logs for signs of unauthorized access or suspicious activity targeting WebLogic services.

    Conclusion

    CVE-2025-21535 represents a highly exploitable vulnerability with the potential for full remote takeover of WebLogic Server instances. Given the critical nature of this flaw and its network accessibility, organizations using the affected versions must act urgently to secure their systems.

    For more information, consult the official Oracle advisory: Oracle CPU January 2025

  • Critical Elevation of Privilege via NTLMv1 in Windows (CVE-2025-21311)

    Overview

    CVE-2025-21311 is a critical vulnerability in Microsoft’s implementation of the NTLM version 1 (NTLMv1) authentication protocol. This flaw permits an attacker to gain elevated privileges through network-based exploitation, impacting various supported versions of Windows, including Windows Server 2025 and Windows 11 24H2.

    Technical Details

    The vulnerability stems from an incorrect implementation of authentication algorithms, categorized under CWE-303: Incorrect Implementation of Authentication Algorithm. Specifically, the use of the outdated and insecure NTLMv1 allows attackers to craft or intercept authentication messages, potentially leading to privilege escalation.

    Unlike its successor NTLMv2, NTLMv1 lacks modern cryptographic protections and is more susceptible to relay attacks and credential manipulation. This vulnerability is especially dangerous in domain environments where NTLM is still supported for backward compatibility.

    CVSS Score and Severity

    This vulnerability has been assessed with a CVSS v3.1 base score of 9.8 (Critical), with the following vector:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    This combination indicates that the flaw is easily exploitable and can cause significant harm if leveraged by a malicious actor.

    Affected Systems

    • Windows Server 2025 (x64, Server Core) – Versions before 10.0.26100.2894
    • Windows Server 2022, 23H2 Edition – Versions before 10.0.25398.1369
    • Windows 11 24H2 (ARM64 & x64) – Versions before 10.0.26100.2894

    Mitigation and Recommendations

    Microsoft has addressed this vulnerability in cumulative updates released after January 2025. Organizations should:

    • Ensure systems are updated to the latest security patches.
    • Disable NTLMv1 wherever possible and enforce the use of NTLMv2 or Kerberos for authentication.
    • Audit authentication logs for anomalous NTLM traffic.

    Conclusion

    CVE-2025-21311 highlights the critical risks of legacy protocol support in modern systems. NTLMv1 has long been deprecated, and its continued use poses serious security threats. Organizations must act quickly to update systems and eliminate NTLMv1 reliance to prevent exploitation.

    For more details, refer to the official Microsoft advisory: MSRC: CVE-2025-21311

  • CVE-2025-27816: Critical Deserialization Vulnerability in Arctera InfoScale

    Overview

    On March 7, 2025, a critical vulnerability identified as CVE-2025-27816 was published, impacting Arctera InfoScale versions 7.0 through 8.0.2. The issue is related to CWE-502: Deserialization of Untrusted Data, a serious vulnerability category known to enable remote code execution and full system compromise if improperly handled.

    Vulnerability Details

    The vulnerability exists in the Plugin_Host service within InfoScale, a component that runs on all Windows servers where InfoScale is installed. This service is used when applications are configured for Disaster Recovery (DR) through the DR wizard. An attacker can exploit this service by sending untrusted serialized .NET messages to the remoting endpoint, which leads to insecure deserialization.

    This vulnerability is especially dangerous due to its reach across all DR-enabled servers and the lack of required user interaction or privileges for exploitation.

    Technical Analysis

    According to the CVSS v3.1 scoring system, CVE-2025-27816 has a base score of 9.8 (Critical). The vector string is:

    CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N

    Key attributes include:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Confidentiality, Integrity, Availability Impact: High

    Because exploitation does not require any privileges or interaction, and the Plugin_Host service is active across all DR-configured installations, the potential for automated large-scale attacks is significant.

    Understanding CWE-502

    CWE-502 involves the deserialization of untrusted data, which can lead to code execution if the application automatically instantiates objects from serialized input. Without validation or sandboxing, this leads to arbitrary behavior controlled by an attacker.

    Impact and Mitigation

    Successful exploitation could allow attackers to:

    • Remotely execute arbitrary code
    • Compromise system integrity and confidentiality
    • Cause service disruption or deploy persistent malware

    Mitigation is straightforward but essential. Manually disabling the Plugin_Host service effectively removes the vulnerable surface. Organizations should also review DR configurations and deploy any available patches or vendor advisories.

    Conclusion

    CVE-2025-27816 is a high-risk vulnerability that underscores the critical danger of insecure deserialization, particularly in enterprise-grade disaster recovery environments. Its simplicity of exploitation and severity of impact make it an urgent issue for InfoScale users to address.

    More information and mitigation guidance is available in the official advisory.

  • CVE-2025-26763: PHP Object Injection in MetaSlider Plugin for WordPress

    Overview

    CVE-2025-26763 discloses a critical vulnerability in the popular Responsive Slider by MetaSlider WordPress plugin, affecting all versions up to and including 3.94.0. This issue permits PHP Object Injection via deserialization of untrusted data, exposing affected websites to potential code execution and full system compromise.

    Technical Details

    The vulnerability is categorized under CWE-502: Deserialization of Untrusted Data. In affected versions, insufficient validation when handling serialized data allows attackers to inject specially crafted objects. These objects can manipulate application behavior or trigger execution paths leading to arbitrary code execution, depending on the availability of a Property-Oriented Programming (POP) chain.

    The vulnerable code path does not require authentication or user interaction, making exploitation feasible via network-based attacks.

    Severity and CVSS Score

    This vulnerability is rated as Critical with a CVSS v3.1 base score of 9.8. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    Impact

    If exploited, this vulnerability may allow attackers to:

    • Execute arbitrary PHP code on the server
    • Access or modify sensitive data
    • Disrupt website functionality or availability

    The severity is compounded by the plugin’s widespread usage in WordPress sites and the unauthenticated nature of the attack vector.

    Mitigation

    • Update Immediately: Upgrade to MetaSlider version 3.95.0 or later.
    • Monitor for Indicators of Compromise: Review server logs and file integrity for any suspicious activity.
    • Restrict Unnecessary Plugin Use: Deactivate or remove unused plugins to reduce attack surface.

    References

    Credits

    Thanks to Le Ngoc Anh (Patchstack Alliance) for responsibly reporting this vulnerability.

  • CVE-2025-2780: Critical File Upload Vulnerability in Woffice Core Plugin

    Overview

    A critical vulnerability has been identified in the Woffice Core plugin for WordPress, affecting all versions up to and including 5.4.21. Tracked as CVE-2025-2780, this flaw enables authenticated users with Subscriber-level access or higher to upload arbitrary files to the server due to missing file type validation in the saveFeaturedImage function.

    Technical Details

    The issue arises from the lack of proper file type validation, which permits users with minimal privileges to upload files of any type. Classified under CWE-434: Unrestricted Upload of File with Dangerous Type, this vulnerability can be exploited to upload executable scripts that may lead to remote code execution (RCE) on the hosting server.

    The vulnerable function, saveFeaturedImage, fails to restrict file MIME types or sanitize file content. This creates an opportunity for threat actors to upload malicious payloads disguised as images or documents.

    Severity and CVSS Score

    This vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This score reflects:

    • Network-based attack vector
    • Low complexity
    • No user interaction required
    • High impact on confidentiality, integrity, and availability

    Potential Impact

    Authenticated users, including Subscribers, could upload files that execute arbitrary code. This opens the door to complete server takeover, data theft, or lateral movement within the hosting environment. Since the attack can be automated, it represents a significant threat for any site using the vulnerable plugin version.

    Mitigation and Recommendations

    • Update Immediately: Upgrade to Woffice Core version 5.4.22 or later.
    • Restrict File Uploads: Use application-layer firewalls or additional plugins to limit file upload types.
    • Monitor Logs: Review recent uploads and access logs for suspicious activity.
    • Review User Roles: Ensure only necessary users have upload permissions.

    References

    Credits

    This vulnerability was responsibly disclosed by Friderika Baranyai.

  • CVE-2025-2798: Critical Authentication Bypass in Woffice CRM WordPress Theme

    Overview

    A critical security vulnerability has been discovered in the Woffice CRM WordPress theme, affecting all versions up to and including 5.4.21. Tracked as CVE-2025-2798, this flaw allows unauthenticated users to gain Administrator-level access through a misconfiguration in the user registration process.

    Technical Details

    The vulnerability is rooted in improper privilege management (CWE-269). Specifically, a misconfiguration involving excluded roles during registration enables attackers to exploit custom login forms. If these forms are in use, unauthenticated users may register accounts with Administrator privileges.

    Even more concerning, this issue can be compounded when combined with CVE-2025-2797, which may allow bypassing the user approval process if an Administrator is tricked into taking certain actions, such as clicking a malicious link.

    Severity and CVSS Score

    This vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This means:

    • Attack Vector: Network-based
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    Impact

    The ability for unauthenticated users to register as Administrators poses a severe threat. Attackers could fully compromise the site by gaining control over its administrative features. The combination with other vulnerabilities further increases the risk, potentially enabling full site takeover with little to no user interaction.

    Mitigation Steps

    • Update Immediately: Upgrade to version 5.4.22 or later of the Woffice CRM theme.
    • Audit Custom Login Forms: Review and secure any custom user registration forms in use.
    • Review User Roles: Check for any suspicious administrator accounts created recently.
    • Educate Administrators: Train site admins to avoid clicking unknown or suspicious links.

    References

    Credits

    Thanks to Friderika Baranyai for responsibly disclosing this issue.

  • CVE-2025-2332: PHP Object Injection Vulnerability in WordPress Export Plugin

    Overview

    A critical vulnerability has been identified in the WordPress plugin Export All Posts, Products, Orders, Refunds & Users, affecting all versions up to and including 2.13. Tracked as CVE-2025-2332, this flaw exposes sites to PHP Object Injection due to unsafe deserialization of user input within the returnMetaValueAsCustomerInput function.

    Technical Details

    The vulnerability stems from a lack of input validation when data is passed to the returnMetaValueAsCustomerInput function. Specifically, it deserializes untrusted user input, which creates a condition known as Deserialization of Untrusted Data (CWE-502).

    This vulnerability can allow unauthenticated attackers to inject PHP objects into the application. Although the vulnerable plugin does not contain a known POP chain (Property-Oriented Programming chain), the impact becomes critical if another plugin or theme on the same site introduces such a chain. In such cases, an attacker could:

    • Delete arbitrary files
    • Access sensitive information
    • Execute arbitrary code on the server

    Severity and CVSS Score

    According to CVSS v3.1, this vulnerability has been scored 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This score indicates:

    • Attack Vector (AV:N): Exploitable over the network
    • Attack Complexity (AC:L): Low complexity required
    • Privileges Required (PR:N): No authentication necessary
    • User Interaction (UI:N): No user interaction needed
    • Impact (C, I, A: H): High impact on confidentiality, integrity, and availability

    Impact Analysis

    By itself, CVE-2025-2332 cannot be exploited for arbitrary code execution due to the absence of a POP chain in the vulnerable plugin. However, in real-world environments where other plugins or themes introduce a POP chain, the potential damage becomes severe. This highlights the importance of defense-in-depth and avoiding unnecessary plugin installations.

    Mitigation and Recommendations

    • Update Immediately: Site administrators using versions ≤ 2.13 of this plugin should upgrade to a fixed version as soon as one is available.
    • Audit Plugins and Themes: Remove or replace any plugins or themes that may introduce exploitable POP chains.
    • Monitor Logs: Check for unexpected activity or unusual file changes.
    • Use Application Firewalls: Tools like Wordfence can help detect and block such injection attempts.

    References

    Credits

    This vulnerability was responsibly disclosed by Craig Smith.