Weekly Exploit Roundup

Generated 2025-12-09T08:00:13.364377+00:00 (UTC)

1. Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
   Source: The Hacker News | Published: 2025-12-08T09:15:00+00:00 | Score: 27.423
   A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence.
   The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active
2. Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
   Source: Threat Intelligence | Published: 2025-12-03T14:00:00+00:00 | Score: 23.893
   Introduction Despite extensive scrutiny and public reporting , commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government . New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving . Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders. Alongside research published by our colleagues from Recorded Future and Amnesty , this blog post will shed light on Intellexa’s recent activities, unveil the real-world impact of their surveillance tools, and detail the actions we are taking against this industry. Continued Prolific Exploitation of Zero-Day Vulnerabilities Over the past several years, Intellexa has solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities agains
3. Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors
   Source: Recorded Future | Published: 2025-12-08T00:00:00+00:00 | Score: 20.248
   A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately.
4. React2Shell (CVE-2025-55182) – Critical unauthenticated RCE affecting React Server Components
   Source: Rapid7 Cybersecurity Blog | Published: 2025-12-04T16:05:50+00:00 | Score: 20.169
   Overview Update #1: As of 4:30 PM Eastern, December 4, 2025, Rapid7 has validated that a working weaponized proof-of-concept exploit , shared by researcher @maple3142 , is now publicly available. Update #2: On December 5, 2025, Lachlan Davidson who discovered the vulnerability has also published a proof-of-concept . A Metasploit exploit module is also available. Update #3: At 10:00 AM Eastern, December 5, 2025, CVE-2025-55182 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), confirming exploitation in-the-wild has begun. On December 3, 2025, Meta disclosed a new vulnerability, CVE-2025-55182 , which has since been dubbed React2Shell. A second CVE identifier, CVE-2025-66478 , was assigned and published to track the vulnerability in the context of Next.js . However this second CVE has since been rejected as a duplicate of CVE-2025-55182, as the root cause in all cases is the same and should be referred to with a
5. WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts
   Source: The Hacker News | Published: 2025-12-03T17:08:00+00:00 | Score: 20.086
   A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild.
   The vulnerability, CVE-2025-8489 (CVSS score: 9.8), is a case of privilege escalation that allows unauthenticated attackers to grant themselves administrative privileges by simply specifying the administrator user role during registration.
   It affects versions
6. Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation
   Source: The Hacker News | Published: 2025-12-06T11:40:00+00:00 | Score: 19.066
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
   The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an
7. Metasploit Wrap-Up 12/05/2025
   Source: Rapid7 Cybersecurity Blog | Published: 2025-12-05T20:58:04+00:00 | Score: 19.029
   Twonky Auth Bypass, RCEs and RISC-V Reverse Shell Payloads This was another fantastic week in terms of PR contribution to the Metasploit Framework. Rapid7’s very own Ryan Emmons recently disclosed CVE-2025-13315 and CVE-2025-13316 which exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). The auxiliary module Ryan submitted which exploits both of these CVEs was released this week. Community contributor Valentin Lobsein aka Chocapikk has returned to the PR queue with a welcomed vengeance. Two modules from Chocapikk were landed this week, a Monsta FTP downloadFile Remote Code Execution module along with a WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE. In addition to some awesome module content, community contributor bcoles added Linux RISC-V 32-bit/64-bit TCP reverse shell payloads. New module content (5) Twonky Server Log Leak Authentication Bypass Author: remmons-r7 Type: Auxiliary Pull request
8. Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution
   Source: The Hacker News | Published: 2025-12-03T18:19:00+00:00 | Score: 17.121
   A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.
   The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. The vulnerability has been codenamed React2shell.
   It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React
9. CISA Adds Two Known Exploited Vulnerabilities to Catalog
   Source: Alerts | Published: 2025-12-08T12:00:00+00:00 | Score: 16.905
   CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce thei
10. React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable
    Source: BleepingComputer | Published: 2025-12-06T19:07:33+00:00 | Score: 16.688
    Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors. […]

End of report.