Executive Summary:
A high-severity vulnerability has been identified in "The Events Calendar," a popular WordPress plugin. This flaw, a time-based SQL Injection, could allow an unauthenticated attacker to steal sensitive information from the website's database, including user data and credentials, by sending specially crafted web requests. Organizations are strongly advised to update the affected plugin immediately to prevent potential data breaches.

Vulnerability Details

CVE-ID: CVE-2025-9807

Affected Software: The Events Calendar plugin for WordPress

Affected Versions: All versions up to and including 6.0

Vulnerability: The vulnerability is a time-based blind SQL Injection. An attacker can exploit this by sending a crafted SQL query within the 's' (search) parameter of a request to the website. The application fails to properly sanitize this input before using it in a database query. By injecting commands that cause a time delay in the database response (e.g., SLEEP() or BENCHMARK()) based on true/false conditions, an attacker can infer the contents of the database one character at a time, eventually exfiltrating sensitive data without generating direct errors.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach, allowing an attacker to access, modify, or exfiltrate all data stored in the WordPress database. This includes user credentials, personal identifiable information (PII), and other confidential business data. The potential consequences include severe reputational damage, financial loss from regulatory fines (e.g., GDPR, CCPA), and the cost of incident response and recovery.

Remediation Plan

Immediate Action: Immediately update "The Events Calendar" plugin to the latest version available (a version greater than 6.0) which contains a patch for this vulnerability. After updating, review the plugin's security settings and consider disabling the plugin if it is no longer essential for business operations.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for suspicious requests containing SQL keywords (e.g., SELECT, SLEEP, BENCHMARK, UNION) within the 's' parameter. Look for an unusual number of requests from a single IP address with slight variations, which is characteristic of an automated SQL injection attack. Monitor database logs for abnormally long-running queries originating from the web application.

Compensating Controls: If patching is not immediately possible, implement a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL injection patterns. Ensure the WAF is in blocking mode, not just logging mode. Restrict database user permissions for the WordPress application to the absolute minimum required for it to function (principle of least privilege).

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of September 12, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this specific vulnerability. However, SQL Injection is a well-understood vulnerability class, and exploits are trivial to develop. Due to the popularity of "The Events Calendar" plugin, it is highly probable that threat actors will develop and deploy exploits rapidly.

Analyst Recommendation

Given the high severity (CVSS 7.5) and the critical risk of a complete database compromise, it is imperative that organizations take immediate action. All instances of "The Events Calendar" plugin on internet-facing WordPress sites must be identified and patched to the latest version without delay. Although this CVE is not currently listed on the CISA KEV list, its high impact and the wide deployment of the affected software make it a prime target for opportunistic and targeted attacks. Prioritize this remediation activity to prevent a potentially significant security incident.

Executive Summary:
A critical improper access control vulnerability has been identified in multiple WSO2 products, assigned a CVSS score of 9.6. This flaw allows a low-privileged user to bypass security restrictions and perform unauthorized administrative actions via internal APIs. Successful exploitation could lead to a complete compromise of the affected systems, posing a significant risk to data confidentiality, integrity, and availability.

Vulnerability Details

CVE-ID: CVE-2025-9804

Affected Software: Multiple WSO2 Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The vulnerability stems from insufficient permission enforcement within certain internal SOAP Admin Services and System REST APIs. An authenticated but low-privileged attacker can craft and send malicious requests to these specific API endpoints. Because the system fails to properly validate the user's permissions, it processes these requests as if they came from a privileged administrator, allowing the attacker to perform high-level actions such as creating new administrative accounts, modifying configurations, or accessing sensitive data.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.6, indicating a high potential for significant business disruption. Exploitation could grant an attacker full administrative control over the WSO2 platform, leading to severe consequences such as a major data breach, manipulation of critical business logic, or complete service outages. The risk extends to all systems and applications integrated with the WSO2 products, potentially compromising sensitive customer data, intellectual property, and operational stability.

Remediation Plan

Immediate Action: The primary recommendation is to update all affected WSO2 products to the latest version as specified by the vendor's security advisory. After patching, it is crucial to monitor for any signs of exploitation attempts and review access logs for suspicious activity that occurred prior to the update.

Proactive Monitoring: Organizations should actively monitor for anomalous activity targeting the affected API endpoints. Specifically, look for unexpected or unauthorized calls to internal SOAP Admin Services and System REST APIs, particularly from low-privileged user accounts. Implement alerts for the creation of new administrative users or significant configuration changes originating from unusual sources.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the attack surface. Restrict network access to the management interfaces and internal APIs, allowing connections only from a trusted administrative jump host or specific IP addresses. Additionally, a Web Application Firewall (WAF) can be configured with rules to block malicious requests targeting the vulnerable API endpoints.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of October 16, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical CVSS score and the straightforward nature of the access control flaw, it is highly probable that threat actors will develop and deploy exploits in the near future.

Analyst Recommendation

Given the critical severity (CVSS 9.6) of this vulnerability, immediate action is required. Successful exploitation could grant a low-privileged attacker full administrative control, leading to a complete system compromise. Although this vulnerability is not currently listed on the CISA KEV catalog, its high impact score makes it a prime candidate for future inclusion. Organizations are strongly advised to prioritize patching all affected WSO2 products without delay to mitigate the significant risk of data breach and service disruption.

Executive Summary:
A critical authentication vulnerability exists in the Google OAuth integration for lunary-ai/lunary, allowing for complete account takeover. The software fails to verify that the login token it receives is intended for it, enabling an attacker to use a token from a malicious application to impersonate a user and gain full access to their account. This flaw poses a significant risk of unauthorized data access, modification, and potential system compromise.

Vulnerability Details

CVE-ID: CVE-2025-9803

Affected Software: lunary-ai/lunary

Affected Versions: Version 1.9.34 and prior.

Vulnerability: The application's Google OAuth implementation does not properly validate the audience (aud) claim within the JSON Web Token (JWT) provided by Google upon user authentication. The aud claim is a critical security feature that specifies the intended recipient of the token. An attacker can create a malicious application, trick a user into authenticating with it via Google, and capture the legitimate access token. Because the vulnerable Lunary application does not check if the token's aud claim matches its own client ID, it will accept this token, granting the attacker a session as the authenticated user.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.3. Successful exploitation leads to a full account takeover, granting the attacker the same privileges as the compromised user. The potential consequences include unauthorized access to and exfiltration of sensitive user or project data, data manipulation, and the ability to perform actions on behalf of the user. This can result in significant reputational damage, loss of customer trust, regulatory penalties, and the compromise of confidential information managed within the application.

Remediation Plan

Immediate Action: Immediately update all instances of lunary-ai/lunary to the patched version 1.9.35 or later. After patching, it is crucial to review authentication logs for any signs of suspicious activity that may indicate a prior compromise.

Proactive Monitoring: Monitor authentication logs for unusual login patterns, such as multiple failed login attempts followed by a success from a new IP address or geographic location. Scrutinize access logs for accounts exhibiting abnormal behavior post-authentication, such as unusually high data access or changes to account settings. Implement alerts for successful Google OAuth logins originating from unexpected sources.

Compensating Controls: If immediate patching is not feasible, consider temporarily disabling the Google OAuth login feature until the system can be updated. Alternatively, implement a Web Application Firewall (WAF) rule to inspect the incoming JWT during the authentication process and reject any token where the aud claim does not match the application's expected client ID. Enforcing mandatory multi-factor authentication (MFA) on all accounts can add another layer of security, although it may not prevent this specific exploit.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of the published date, Nov 25, 2025, there are no known public exploits or reports of this vulnerability being actively exploited in the wild. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the simplicity of the attack vector means that an exploit could be developed easily.

Analyst Recommendation

Given the critical CVSS score of 9.3 and the high impact of a successful exploit (full account takeover), this vulnerability requires immediate attention. We strongly recommend that organizations identify all instances of the affected software and apply the patch to upgrade to version 1.9.35 without delay. Following the update, a thorough review of access and authentication logs should be conducted to identify any potential historical compromise. Although not currently on the CISA KEV list, the severity of this vulnerability warrants treating it as an urgent priority.

Executive Summary:
A high-severity vulnerability has been identified in certain Tenda network devices, allowing a remote, unauthenticated attacker to gain complete control over the affected product. Successful exploitation could lead to network traffic interception, data theft, and the ability for an attacker to use the compromised device to launch further attacks against the internal network. Immediate patching is critical to mitigate the significant risk posed by this weakness.

Vulnerability Details

CVE-ID: CVE-2025-9791

Affected Software: Tenda AC20 and potentially other products

Affected Versions: Tenda AC20 firmware version 16.x. See vendor advisory for a complete list of affected products and versions.

Vulnerability: This vulnerability is a command injection flaw in the web-based management interface of the Tenda AC20 router. An unauthenticated attacker on the same network (or an attacker who can reach the management interface) can send a specially crafted HTTP request to a specific administrative endpoint. The device fails to properly sanitize user-supplied input within this request, allowing the attacker to inject and execute arbitrary operating system commands with root-level privileges, resulting in a complete compromise of the device.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation of this flaw could have a severe impact on business operations. An attacker gaining root access to a core network device can intercept all unencrypted traffic, including sensitive credentials and confidential information. The attacker could also modify network traffic, redirect users to malicious websites, disrupt network services, or use the router as a pivot point to attack other critical systems on the internal network. Furthermore, the compromised device could be co-opted into a botnet for use in larger-scale attacks like Distributed Denial-of-Service (DDoS).

Remediation Plan

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately across all affected devices. Before and after patching, administrators should monitor for any signs of exploitation attempts by reviewing device and network access logs for unusual activity or connections originating from the affected devices.

Proactive Monitoring: Implement enhanced monitoring of network traffic originating from the Tenda devices. Look for unusual outbound connections, unexpected DNS queries, or traffic patterns indicative of command-and-control (C2) communication. Review the device's web server logs for HTTP requests containing shell metacharacters (e.g., ;, |, &&, $()) or other suspicious command strings.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Disable remote/WAN management of the device's web interface.
• Restrict access to the web management interface to a limited set of trusted administrative IP addresses using firewall rules.
• Implement network segmentation to isolate the router from critical internal assets, limiting the potential impact of a compromise.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of September 1, 2025, there are no publicly available proof-of-concept exploits or observed in-the-wild exploitation campaigns targeting this vulnerability. However, vulnerabilities of this nature in network edge devices are highly attractive targets for threat actors. It is anticipated that security researchers and malicious actors will develop exploit code rapidly.

Analyst Recommendation

Given the high CVSS score of 8.8 and the potential for complete, unauthenticated remote device takeover, this vulnerability presents a critical risk to the organization. Although CVE-2025-9791 is not currently on the CISA KEV list, its severity warrants immediate and prioritized attention. We strongly recommend that all organizations using affected Tenda products apply the vendor-supplied security patches on an emergency basis. For systems that cannot be patched immediately, the compensating controls listed above should be implemented without delay to mitigate the risk.

Executive Summary:
A high-severity vulnerability has been identified in multiple TOTOLINK networking products, allowing an unauthenticated remote attacker to gain complete control over affected devices. Successful exploitation could lead to network traffic interception, denial of service, or the use of the compromised device to attack other systems on the internal network. Immediate application of vendor-provided security updates is required to mitigate this critical risk.

Vulnerability Details

CVE-ID: CVE-2025-9783

Affected Software: TOTOLINK Multiple Products

Affected Versions: The TOTOLINK A702R with firmware version 4 is confirmed to be affected. See vendor advisory for a complete list of all affected products and versions.

Vulnerability: This vulnerability is an unauthenticated command injection flaw in the device's web management interface. An attacker can send a specially crafted HTTP request to a specific, publicly accessible endpoint on the device. The endpoint fails to properly sanitize user-supplied input, allowing the attacker to inject and execute arbitrary operating system commands with the privileges of the root user, resulting in a full system compromise.

Business Impact

This vulnerability is classified as High severity with a CVSS score of 8.8. Exploitation by an attacker could have significant business impacts, including:

• Data Interception: An attacker can monitor, redirect, or alter all unencrypted network traffic passing through the compromised device, potentially exposing sensitive corporate or customer data.
• Network Disruption: The attacker could create a denial-of-service condition, disrupting internet access and internal network connectivity for all connected users.
• Internal Network Pivot: The compromised router can be used as a foothold to launch further attacks against other sensitive systems within the internal corporate network.
• Reputational Damage: The device could be co-opted into a botnet for use in broader malicious campaigns, associating the organization's IP address with criminal activity.

Remediation Plan

Immediate Action:

• Identify all vulnerable TOTOLINK devices on the network.
• Apply the security updates and patches provided by the vendor immediately to remediate the vulnerability.
• After patching, review device access logs and network logs for any signs of compromise or exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring:

• Review web server access logs on the devices for unusual or malformed requests, particularly those containing shell metacharacters (e.g., ;, |, &&, $()).
• Monitor network traffic for any unexpected outbound connections originating from the routers' management interfaces to unknown external IP addresses.
• Implement alerts for any unauthorized configuration changes or unexpected reboots of the devices.

Compensating Controls:
If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Disable remote (WAN-side) administration of the device's web interface.
• Restrict access to the web management interface to a limited set of trusted administrative IP addresses on the internal network.
• If possible, place the management interface on a dedicated, isolated management VLAN.

Exploitation Status

Public Exploit Available: false

Analyst Notes:
As of September 1, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, command injection vulnerabilities in embedded devices are often trivial to exploit. It is highly probable that a functional proof-of-concept exploit will be developed and released by security researchers or malicious actors in the near future.

Analyst Recommendation
Given the high CVSS score of 8.8 and the potential for a complete, unauthenticated remote takeover, this vulnerability poses a critical risk to the organization. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants immediate attention. Organizations are strongly advised to prioritize the patching of all affected TOTOLINK devices to prevent potential compromise. If patching cannot be performed immediately, access to the device management interface must be strictly controlled as a temporary compensating measure.

Executive Summary:
A high-severity vulnerability has been identified in multiple TOTOLINK router products, allowing an unauthenticated remote attacker to execute arbitrary commands on affected devices. Successful exploitation could lead to a complete compromise of the network device, enabling the attacker to intercept traffic, access the internal network, and disrupt network availability.

Vulnerability Details

CVE-ID: CVE-2025-9782

Affected Software: TOTOLINK Multiple Products

Affected Versions: The vulnerability is confirmed in TOTOLINK A702R firmware version 4. See vendor advisory for a complete list of specific affected products and versions.

Vulnerability: The vulnerability is an unauthenticated command injection flaw in the web management interface of the affected devices. An attacker can send a specially crafted HTTP request to a specific endpoint on the device, injecting operating system commands into a parameter that is not properly sanitized. These commands are then executed on the underlying operating system with root-level privileges, giving the attacker full control over the device.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation can result in a complete compromise of the network perimeter, leading to significant business risks. An attacker could intercept sensitive data transiting the network (e.g., credentials, financial information), pivot to attack other internal systems, disrupt internet connectivity, or use the compromised device as part of a larger botnet for launching attacks against other targets. The potential for data breaches, operational downtime, and reputational damage is substantial.

Remediation Plan

Immediate Action: Apply vendor-supplied security updates to all affected TOTOLINK devices immediately, prioritizing those with management interfaces exposed to the internet. After patching, monitor system logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: System administrators should monitor for indicators of compromise, including:

• Unusual or unauthorized outbound connections originating from the router.
• Unexpected changes in device configuration or the creation of new user accounts.
• Anomalies in network traffic patterns or unexplained bandwidth consumption.
• Reviewing web server access logs for suspicious requests containing shell commands or special characters directed at the management interface.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Disable remote (WAN) access to the device's web management interface.
• Restrict access to the management interface to a dedicated, trusted administrative network or specific IP addresses.
• Use an upstream firewall to block access to the device's management ports from all untrusted networks.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of September 1, 2025, proof-of-concept (PoC) exploit code has been publicly released, significantly increasing the likelihood of active exploitation by threat actors. While this vulnerability is not currently on the CISA KEV list, its high severity and the availability of a public exploit make it a prime candidate for future inclusion. Organizations should assume active scanning and exploitation attempts are underway.

Analyst Recommendation
Given the high CVSS score of 8.8 and the public availability of exploit code, this vulnerability poses a critical risk to the organization. We strongly recommend that all affected TOTOLINK devices are patched immediately, following the principle of "patch, then monitor." If patching is delayed for any reason, compensating controls, particularly disabling WAN management, must be implemented as a critical interim measure. Any successful exploitation should be treated as a full device and potential network compromise, triggering incident response procedures.

Executive Summary:
A high-severity vulnerability has been identified in multiple TOTOLINK networking products, allowing a remote, unauthenticated attacker to execute arbitrary commands on affected devices. Successful exploitation could lead to a complete compromise of the device, enabling an attacker to intercept network traffic, disrupt services, or use the device as a pivot point to attack other systems on the network.

Vulnerability Details

CVE-ID: CVE-2025-9781

Affected Software: TOTOLINK Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The vulnerability exists within the web management interface of the affected devices. An attacker can send a specially crafted HTTP request to a specific endpoint without needing to authenticate. Due to insufficient input validation, this request can inject and execute arbitrary operating system commands with the privileges of the root user, resulting in a full system compromise.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would grant an attacker complete administrative control over the affected network device. This could lead to severe business consequences, including the interception of sensitive data traversing the network, denial-of-service attacks that disrupt business operations, and the use of the compromised device to launch further attacks against the internal corporate network. The potential for data breaches, operational downtime, and reputational damage is significant.

Remediation Plan

Immediate Action: Apply the security updates provided by TOTOLINK to all affected devices immediately. After patching, review device access logs and network logs for any signs of compromise or unusual activity that may have occurred prior to the update.

Proactive Monitoring: Monitor network traffic for anomalous outbound connections originating from the TOTOLINK devices. Review web server logs on the devices for suspicious requests, particularly those containing shell metacharacters (e.g., ;, |, &&, $()). Implement alerts for any unexpected administrative changes or system reboots.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Restrict access to the device's web management interface to a trusted internal network or specific administrative IP addresses.
• Ensure the management interface is not exposed to the public internet.
• Use a network firewall to block all untrusted access to the device's management ports (typically TCP 80 and 443).

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of September 1, 2025, there are no known public proof-of-concept exploits or reports of this vulnerability being actively exploited in the wild. However, vulnerabilities of this type in network edge devices are highly attractive targets for threat actors, and it is likely that an exploit will be developed and utilized in the near future.

Analyst Recommendation

Given the high CVSS score of 8.8 and the potential for a complete, unauthenticated remote compromise, this vulnerability poses a critical risk to the organization. Although CVE-2025-9781 is not currently on the CISA KEV list, its severity warrants immediate attention. The primary recommendation is to apply the vendor-supplied patches to all affected TOTOLINK devices without delay. If patching is not immediately possible, the compensating controls listed above must be implemented as a critical temporary measure to mitigate the risk of exploitation.

Executive Summary:
A high-severity vulnerability has been identified in multiple TOTOLINK network devices, allowing an unauthenticated remote attacker to execute arbitrary commands. Successful exploitation could lead to a complete compromise of the affected router, enabling the attacker to intercept network traffic, attack other devices on the internal network, or use the device in a botnet.

Vulnerability Details

CVE-ID: CVE-2025-9780

Affected Software: TOTOLINK Multiple Products

Affected Versions: TOTOLINK A702R version 4 and other products. See vendor advisory for a complete list of affected versions.

Vulnerability: This vulnerability is an unauthenticated command injection flaw in the web management interface of the affected devices. An attacker can send a specially crafted HTTP request to a specific administrative endpoint without needing to provide valid credentials. The device fails to properly sanitize user-supplied input within this request, allowing the attacker to inject and execute arbitrary operating system commands with root-level privileges, resulting in a full system compromise.

Business Impact

This vulnerability presents a significant risk to the organization, reflected by its High severity rating with a CVSS score of 8.8. Exploitation could lead to a complete loss of confidentiality, integrity, and availability of the network infrastructure managed by the affected device. Potential consequences include the interception of sensitive data traversing the network, unauthorized access to internal network resources, service disruption, and the use of the compromised device to launch further attacks or contribute to a distributed denial-of-service (DDoS) botnet.

Remediation Plan

Immediate Action: Organizations must apply the security updates provided by TOTOLINK to all affected devices immediately. After patching, system administrators should review device access logs and network traffic logs for any signs of compromise or anomalous activity that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring of network traffic to and from the affected devices. Look for unusual outbound connections, unexpected spikes in traffic, or requests to the device's web interface containing suspicious patterns or shell commands. Monitor system processes and resource utilization on the devices for any unauthorized or unexpected behavior.

Compensating Controls: If immediate patching is not feasible, restrict all access to the device's web management interface from the internet or any untrusted network. If remote management is necessary, it should be strictly firewalled and limited to a trusted set of IP addresses. Implement network segmentation to limit the potential impact of a compromised device on other critical internal assets.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of September 1, 2025, proof-of-concept (PoC) exploit code has been publicly released. While this vulnerability is not yet listed on the CISA KEV catalog, the availability of a public exploit significantly increases the likelihood of active exploitation by a wide range of threat actors. We anticipate that automated scanning for this vulnerability will begin shortly.

Analyst Recommendation

Given the high severity (CVSS 8.8) of this vulnerability and the public availability of exploit code, we strongly recommend that organizations prioritize the immediate patching of all affected TOTOLINK devices. This vulnerability represents a critical threat to the network perimeter. Even though it is not currently on the CISA KEV list, it should be treated with the highest urgency. If patching cannot be performed immediately, the compensating controls outlined above must be implemented without delay to reduce the attack surface.

Executive Summary:
A high-severity vulnerability has been identified in multiple TOTOLINK products, allowing a remote, unauthenticated attacker to potentially execute arbitrary code on affected devices. Successful exploitation could grant an adversary complete control over the network device, leading to network traffic interception, denial of service, or unauthorized access to the internal network.

Vulnerability Details

CVE-ID: CVE-2025-9779

Affected Software: TOTOLINK Multiple Products

Affected Versions: The specific vulnerability was detected in TOTOLINK A702R version 4. See vendor advisory for a complete list of all affected products and versions.

Vulnerability: This vulnerability is a remote command injection flaw in the device's web management interface. An unauthenticated attacker can send a specially crafted HTTP request to a specific endpoint on the device. Due to insufficient input validation, the malicious payload is passed directly to the underlying operating system and executed with root-level privileges, giving the attacker full control of the device.

Business Impact

This vulnerability presents a significant risk to the organization, reflected by its High severity rating with a CVSS score of 8.8. An attacker successfully exploiting this flaw could gain a persistent foothold on the network perimeter. Potential consequences include interception of sensitive data passing through the router, disruption of network services leading to operational downtime, and using the compromised device as a pivot point to launch further attacks against internal systems. A compromise of a core network device could also lead to significant reputational damage and regulatory non-compliance.

Remediation Plan

Immediate Action: The primary remediation is to apply the security updates provided by TOTOLINK immediately across all affected devices. After patching, system administrators should monitor for any signs of exploitation attempts by reviewing device and network access logs for suspicious activity originating from external IP addresses.

Proactive Monitoring: Implement enhanced monitoring for affected devices. Specifically, look for unusual outbound connections from the router, unexpected processes running on the device, and review web server logs for malformed requests targeting the management interface. Utilize network intrusion detection systems (NIDS) with signatures that can identify command injection attempts.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Disable remote (WAN) access to the device's web management interface.
• Restrict access to the management interface to a dedicated, trusted administrative network segment.
• Implement strict firewall rules to limit all non-essential inbound and outbound traffic to and from the device.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of September 1, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, vulnerabilities in SOHO/SMB networking equipment are frequently targeted by threat actors shortly after public disclosure. Organizations should assume that exploitation is imminent.

Analyst Recommendation

Given the high CVSS score of 8.8 and the critical function of the affected network devices, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches to all affected TOTOLINK devices within the next 72 hours. Although CVE-2025-9779 is not currently on the CISA KEV list, its high severity and the likelihood of future exploitation make it a critical threat that must be addressed proactively to prevent a network compromise.

Executive Summary:
A high-severity vulnerability has been discovered in multiple 'was' products, specifically impacting RemoteClinic version 2 and earlier. This flaw could be exploited by an attacker to gain unauthorized access to the application's underlying database, potentially resulting in the theft or modification of sensitive patient information. Organizations are urged to apply the vendor-provided security updates immediately to mitigate the significant risk of a data breach.

Vulnerability Details

CVE-ID: CVE-2025-9775

Affected Software: was Multiple Products

Affected Versions: RemoteClinic versions 2 and prior. See vendor advisory for a complete list of affected products and versions.

Vulnerability: This vulnerability is a SQL Injection flaw within the data retrieval components of the affected software. A remote, authenticated attacker can send a specially crafted request to a vulnerable API endpoint to execute arbitrary SQL commands on the backend database. Successful exploitation allows the attacker to bypass security controls to read, modify, or delete sensitive data stored in the database, including Protected Health Information (PHI).

Business Impact

This vulnerability presents a high-risk threat to the organization, reflected by its CVSS score of 7.3. Exploitation could lead to a significant data breach, compromising sensitive patient or customer data, which may trigger severe regulatory fines (e.g., under HIPAA or GDPR), reputational damage, and a loss of client trust. The ability for an attacker to alter or delete records could also disrupt critical business operations, compromise data integrity, and negatively impact patient care or service delivery.

Remediation Plan

Immediate Action: Apply the security updates provided by the vendor across all affected systems without delay. Following the deployment of patches, closely monitor system and application logs for any signs of compromise or unusual activity that may have occurred prior to remediation.

Proactive Monitoring: Security teams should monitor for anomalous database queries, especially those containing SQL keywords like UNION, SELECT, or sleep/wait commands originating from the application server. Review Web Application Firewall (WAF) and network traffic logs for suspicious requests targeting the application's API endpoints. Establish baselines for normal user and application behavior to more effectively detect deviations that could indicate an attack.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with strict rulesets designed to detect and block SQL injection attempts. Additionally, restrict network access to the vulnerable application to only trusted IP ranges and ensure the application's database service account is configured with the principle of least privilege to limit the impact of a potential breach.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of September 1, 2025, there is no public proof-of-concept (PoC) exploit code available, and this vulnerability is not known to be actively exploited in the wild. However, due to the nature of SQL injection flaws, it is anticipated that threat actors will develop exploitation methods quickly.

Analyst Recommendation

Given the high severity rating (CVSS 7.3) and the direct risk to sensitive data, organizations must prioritize the immediate deployment of the vendor-supplied patches as an emergency change. While this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for significant impact makes it a prime target for future attacks. Proactive patching is the most critical and effective defense to prevent exploitation and protect the organization from a potential data breach and operational disruption.

Executive Summary:
A high-severity vulnerability has been identified in the was RemoteClinic software platform, which could allow an unauthenticated attacker to gain unauthorized access to the system's underlying database. Successful exploitation could lead to the exposure, modification, or deletion of sensitive patient health information, posing a significant risk to data confidentiality and integrity. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this critical threat.

Vulnerability Details

CVE-ID: CVE-2025-9772

Affected Software: was RemoteClinic (Note: Vendor advisory states "Multiple Products", but provides specifics for RemoteClinic)

Affected Versions: Version 2.0 and prior.

Vulnerability: The vulnerability is an unauthenticated SQL injection flaw in the patient portal's appointment scheduling API endpoint. An unauthenticated remote attacker can send a specially crafted HTTP request containing malicious SQL queries to this endpoint. Due to improper input sanitization, the application directly incorporates this user-supplied input into a database query, allowing the attacker to bypass authentication controls, exfiltrate sensitive data from the database, modify records, or potentially achieve remote code execution depending on the database configuration.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.3. The primary business impact is the potential for a significant data breach involving Protected Health Information (PHI). Exploitation could lead to severe regulatory penalties under frameworks like HIPAA, substantial financial loss, and irreparable reputational damage. The compromise of patient data would erode patient trust and could result in legal action, directly impacting the organization's operational and financial stability.

Remediation Plan

Immediate Action:
The primary remediation is to apply the security updates released by the vendor across all affected instances of RemoteClinic immediately. Prioritize patching for systems that are exposed to the internet. After patching, it is crucial to review access and application logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring:
Security teams should actively monitor for exploitation attempts. This includes analyzing web server and application logs for suspicious requests to the appointment scheduling API endpoint, specifically looking for SQL keywords (e.g., UNION, SELECT, ' OR 1=1, --). Implement alerts for a high volume of database errors or unusual data access patterns originating from the web application server.

Compensating Controls:
If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks. If possible, restrict network access to the affected application to only trusted IP addresses and internal networks until patching can be completed.

Exploitation Status

Public Exploit Available: false

Analyst Notes:
As of September 1, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, given the high severity and the straightforward nature of SQL injection flaws, it is highly probable that threat actors will develop and deploy exploits in the near future.

Analyst Recommendation

Given the High severity rating (CVSS 7.3) and the critical risk of a patient data breach, this vulnerability requires immediate attention. Although CVE-2025-9772 is not currently on the CISA KEV list, organizations should treat it with the highest priority due to the severe potential business impact. We strongly recommend that all organizations using the affected software apply the vendor-provided patches without delay. In parallel, security teams must enhance monitoring for indicators of compromise and deploy compensating controls, such as a WAF, to provide an additional layer of defense.

Executive Summary:
A critical vulnerability has been identified in the "Post By Email" plugin for WordPress, rated 9.8 out of 10. This flaw allows an unauthenticated attacker to upload malicious files to the web server, which can lead to a complete compromise of the website. Successful exploitation could result in data theft, website defacement, and further attacks originating from the compromised server.

Vulnerability Details

CVE-ID: CVE-2025-9762

Affected Software: Post By Email plugin for WordPress

Affected Versions: All versions up to, and including, 1.0.4b

Vulnerability: The vulnerability exists within the save_attachments function of the plugin, which is responsible for processing email attachments. The function fails to properly validate the file types of attachments before saving them to the server. An attacker can exploit this by sending a specially crafted email with a malicious executable file (e.g., a PHP web shell) as an attachment, potentially disguised as a common file type. The plugin will process the email and save the malicious file to a web-accessible directory, allowing the attacker to execute the code and gain full control over the web server.

Business Impact

This vulnerability is of critical severity with a CVSS score of 9.8. Exploitation could lead to a complete system compromise, posing a significant risk to the organization. Potential consequences include theft of sensitive data such as customer information or intellectual property, disruption of business operations through website defacement or downtime, and reputational damage. The compromised server could also be used as a platform to launch further attacks against other systems, creating additional legal and financial liabilities.

Remediation Plan

Immediate Action: Immediately update the "Post By Email" plugin for WordPress to the latest version available from the vendor, which addresses this vulnerability. After patching, verify that the update was successful and the site is functioning correctly.

Proactive Monitoring: Review web server access logs for suspicious POST requests or direct access attempts to unexpected files in WordPress upload directories (e.g., .php, .phtml files). Monitor for any unexpected files appearing in the /wp-content/uploads/ directory. Implement file integrity monitoring to detect unauthorized changes to the website's file system.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Disable and remove the "Post By Email" plugin until it can be safely updated.
• Deploy a Web Application Firewall (WAF) with rules designed to inspect and block malicious file uploads.
• Harden web server permissions to prevent script execution in directories where file uploads are stored.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Sep 30, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the straightforward nature of arbitrary file upload vulnerabilities and the widespread use of WordPress, proof-of-concept exploits are likely to be developed quickly.

Analyst Recommendation

Given the critical CVSS score of 9.8 and the high potential for remote code execution, immediate remediation is strongly recommended. Organizations must prioritize updating the affected "Post By Email" plugin to the latest patched version without delay. Although this vulnerability is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its severity makes it a highly attractive target for threat actors, and organizations should treat it as an imminent threat.

Executive Summary:
A critical path traversal vulnerability has been identified in multiple Ivanti Endpoint Manager products, tracked as CVE-2025-9713. This flaw allows a remote, unauthenticated attacker to bypass security controls and execute arbitrary code on affected servers, potentially leading to a full system compromise. Due to the high severity and the internet-facing nature of these systems, this vulnerability poses a significant and immediate risk to the organization's data and network integrity.

Vulnerability Details

CVE-ID: CVE-2025-9713

Affected Software: Ivanti Endpoint Manager

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The vulnerability is a path traversal (also known as directory traversal) flaw within a component of the Ivanti Endpoint Manager web interface. An unauthenticated remote attacker can craft a malicious HTTP request containing special character sequences (e.g., ../) to navigate outside of the intended web root directory. By exploiting this flaw, an attacker can access, read, or write to arbitrary files on the server, which can be leveraged to upload a malicious file (such as a web shell) to a web-accessible directory, resulting in remote code execution (RCE) with the privileges of the web server's service account.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation would grant an attacker complete control over the affected Ivanti server. The potential consequences include theft of sensitive corporate data, deployment of ransomware, disruption of endpoint management services, and using the compromised server as a pivot point for further attacks into the internal network. This presents a severe risk to the confidentiality, integrity, and availability of the organization's data and IT infrastructure.

Remediation Plan

Immediate Action: Apply the security patches provided by the vendor to all affected Ivanti Endpoint Manager instances immediately, prioritizing internet-facing systems. After patching, it is crucial to review web server and application access logs for any signs of exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. Look for unusual patterns in web server logs (e.g., IIS logs) containing directory traversal sequences like ../, ..%2f, or ..\\. On the host system, monitor for suspicious processes spawned by the web server service (e.g., w3wp.exe spawning cmd.exe or powershell.exe) and unexpected outbound network connections from the server.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to mitigate risk:

• Restrict access to the Ivanti Endpoint Manager web interface from the internet using a firewall or require access via a secure VPN.
• Deploy a Web Application Firewall (WAF) with rules specifically configured to detect and block path traversal attack patterns.
• Ensure Endpoint Detection and Response (EDR) solutions are active on the server to detect anomalous process behavior.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of October 13, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, vulnerabilities in internet-facing security products like Ivanti's are highly attractive targets for threat actors. It is anticipated that attackers will reverse-engineer the vendor patches to develop a working exploit in the near future.

Analyst Recommendation

Given the critical nature of this unauthenticated remote code execution vulnerability (CVSS 8.8), we strongly recommend that organizations treat this as a top priority. All internet-facing Ivanti Endpoint Manager systems must be patched immediately. While this CVE is not yet on the CISA KEV list, its high severity and the history of threat actor interest in Ivanti products suggest it may be added if widespread exploitation occurs. Organizations should assume imminent exploitation and proceed with patching and proactive threat hunting without delay.

Executive Summary:
A critical vulnerability exists in the Ajax WooSearch WordPress plugin, identified as CVE-2025-9697, with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to execute arbitrary commands on the website's database, potentially leading to a complete site takeover, sensitive data theft, or website defacement. Immediate patching is required to mitigate the significant risk of compromise.

Vulnerability Details

CVE-ID: CVE-2025-9697

Affected Software: The Ajax WooSearch WordPress plugin

Affected Versions: All versions up to and including 1.0.0

Vulnerability:
The vulnerability is an unauthenticated SQL Injection. The Ajax WooSearch plugin exposes an AJAX action that is accessible to users who are not logged in. The code responsible for handling this action fails to properly sanitize or use prepared statements for a parameter that is passed into a database query. An unauthenticated remote attacker can send a specially crafted request to this AJAX endpoint, injecting malicious SQL syntax into the vulnerable parameter, which is then executed directly by the website's database. This allows the attacker to read, modify, or delete database contents, potentially leading to the disclosure of sensitive information like user credentials and customer data, or even achieving remote code execution depending on database and server configurations.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can have severe consequences for the business, including a full-scale data breach involving sensitive customer information, order details, and user credentials. Such a breach could result in significant financial losses, regulatory fines (e.g., under GDPR or CCPA), and irreparable reputational damage. An attacker could also deface the website, inject malicious code to attack site visitors, or use the compromised server as a pivot point for further attacks on the internal network, leading to widespread business disruption.

Remediation Plan

Immediate Action:
The primary and most effective remediation is to update The Ajax WooSearch WordPress plugin to the latest version as recommended by the vendor. After applying the update, it is crucial to monitor for any signs of post-patch exploitation attempts and review web server and database access logs for any suspicious activity that may have occurred prior to patching.

Proactive Monitoring:

• Log Analysis: Review web server access logs for unusual POST or GET requests to the plugin's AJAX endpoints, specifically looking for common SQL injection payloads (e.g., UNION SELECT, ' OR '1'='1, sleep()).
• Database Monitoring: Enable and monitor database query logs for anomalous or malformed queries originating from the web application.
• Web Application Firewall (WAF): Implement and configure a WAF with rulesets designed to detect and block SQL injection attacks. Monitor WAF logs for blocked attempts targeting the vulnerable plugin.

Compensating Controls:
If immediate patching is not feasible, the following temporary measures can reduce risk:

• Disable the Plugin: Deactivate and uninstall the Ajax WooSearch plugin until a patched version can be safely deployed.
• Virtual Patching: Use a Web Application Firewall (WAF) to create a custom rule that blocks requests containing malicious SQL payloads sent to the specific vulnerable AJAX endpoint.
• Principle of Least Privilege: Ensure the database user account for the WordPress application has the minimum necessary permissions, preventing it from accessing other databases or executing system commands.

Exploitation Status

Public Exploit Available: false

Analyst Notes:
As of October 2, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical severity (CVSS 9.8), ease of exploitation, and unauthenticated attack vector, it is highly probable that threat actors will develop and deploy exploits in the near future. Organizations should assume exploitation is imminent.

Analyst Recommendation

Immediate patching is strongly recommended. Given the critical CVSS score of 9.8 and the fact that the vulnerability can be exploited by any remote, unauthenticated attacker, this flaw represents a significant and immediate risk to any organization using the affected plugin. Although this vulnerability is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion due to its potential for widespread impact. All systems running vulnerable versions of the Ajax WooSearch WordPress plugin must be updated to the latest version without delay to prevent potential compromise.

Executive Summary:
A high-severity vulnerability has been identified in the "User Meta – User Profile Builder and User management" WordPress plugin. This flaw allows a malicious actor to delete arbitrary files on the server hosting the website, which could lead to a complete site outage, data loss, or create opportunities for further system compromise. Immediate patching is required to mitigate the significant risk of website defacement and denial of service.

Vulnerability Details

CVE-ID: CVE-2025-9693

Affected Software: User Meta – User Profile Builder and User management plugin for WordPress

Affected Versions: All versions up to, and including, 3

Vulnerability: The vulnerability is an Arbitrary File Deletion flaw within the postInsertUserProcess function of the plugin. Due to insufficient validation of user-supplied file paths, an attacker can craft a malicious request that tricks the function into deleting files outside of the intended directories. An attacker could potentially use path traversal techniques (e.g., ../../..) to target and delete critical system files, such as wp-config.php, .htaccess, or other core application files, leading to a denial of service or exposing sensitive configuration data.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8. Exploitation could have a significant negative impact on business operations. The primary risk is a denial-of-service condition, rendering the website completely inaccessible if critical WordPress core files are deleted. Furthermore, the deletion of specific data files could result in irreversible data loss, while the removal of security configuration files could weaken the server's defenses, making it susceptible to further attacks. The potential for reputational damage and the cost of incident response and site restoration are also considerable.

Remediation Plan

Immediate Action:

• Immediately update the "User Meta – User Profile Builder and User management" plugin to the latest version provided by the vendor, which contains a patch for this vulnerability.
• If the plugin is not essential for business operations, the most secure course of action is to deactivate and completely remove it from the WordPress installation.
• Review WordPress security settings to ensure file permissions are correctly configured to limit the web server user's ability to write or delete files in critical directories.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests to endpoints associated with the "User Meta" plugin, particularly any that contain suspicious file path manipulations (e.g., ../, %2e%2e%2f).
• Implement file integrity monitoring (FIM) on the web server to generate alerts for any unauthorized changes or deletions of critical WordPress files, especially wp-config.php.
• Review system logs for unexpected file deletion events originating from the web server process.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attacks targeting this plugin's functions.
• Enforce the principle of least privilege by hardening file system permissions, ensuring the user account running the web server cannot delete files outside of its designated directories (e.g., wp-content/uploads).
• Restrict administrative access to the WordPress dashboard to trusted IP addresses only, reducing the attack surface for vulnerabilities that may require authenticated access.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of September 11, 2025, there are no known public proof-of-concept exploits or active malicious campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, vulnerabilities of this type in popular WordPress plugins are frequently reverse-engineered and exploited by threat actors shortly after public disclosure.

Analyst Recommendation

Given the high severity (CVSS 8) of this vulnerability and the potential for complete website compromise, we strongly recommend that immediate action is taken. Organizations must prioritize updating the affected "User Meta" plugin to the latest patched version without delay. Although there is no evidence of active exploitation at this time, the risk of a simple exploit being developed is high. Proactive patching is the most effective strategy to prevent a potentially disruptive and costly security incident.

Executive Summary:
A high-severity vulnerability has been identified in pgAdmin, which could allow an attacker to compromise the database management tool and gain unauthorized access to managed databases.

Vulnerability Details

CVE-ID: CVE-2025-9636

Affected Software: pgAdmin Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The advisory states that pgAdmin versions up to and including 9.x are affected by an unspecified vulnerability. Based on the high CVSS score and the nature of the application, this could range from cross-site scripting (XSS) to server-side request forgery (SSRF) or remote code execution, likely exploitable by an authenticated user or, in some cases, an unauthenticated attacker.

Business Impact

A compromise of pgAdmin could be catastrophic for data security. An attacker could execute arbitrary SQL queries, exfiltrate or modify sensitive data from any managed PostgreSQL database, or potentially gain shell access to the server hosting pgAdmin. The CVSS score of 7.9 (High) highlights the critical risk of losing control over database administration functions.

Remediation Plan

Immediate Action: Upgrade all pgAdmin installations to a version higher than 9.x, as specified in the official vendor advisory, to mitigate this risk.

Proactive Monitoring: Review pgAdmin and database server logs for suspicious or unauthorized administrative activities, such as unexpected user creation, permission changes, or large data exports.

Compensating Controls: Restrict network access to the pgAdmin web interface to a limited set of trusted IP addresses. Enforce multi-factor authentication for all pgAdmin user accounts.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of September 4, 2025, there is no public information indicating active exploitation of this vulnerability. As a widely used database management tool, any serious flaw in pgAdmin will be a prime target for attackers.

Analyst Recommendation

This vulnerability poses a direct and severe threat to the security of managed PostgreSQL databases. All organizations using affected versions of pgAdmin must prioritize upgrading to a patched version immediately to prevent potential data breaches and unauthorized database access.