Vulnerability intelligence

CVE-2025-12480 is an improper access control vulnerability affecting Triofox versions prior to 16.7.10368.56560. It allows unauthorized access to the initial setup pages even after the setup is complete. Attackers can bypass authentication and access configuration pages, potentially uploading and executing arbitrary payloads. In one observed case, a threat actor (UNC6485) exploited this vulnerability to create a new admin account and then used the built-in antivirus feature to execute malicious files. To remediate this vulnerability, it is recommended to upgrade to Triofox version 16.7.10368.56560 or later.

CVE-2025-9961 is a remote code execution (RCE) vulnerability found in TP-Link routers, specifically affecting the CWMP (CPE WAN Management Protocol) binary. An authenticated attacker can exploit this flaw to remotely execute arbitrary code on the affected devices. The vulnerability can be triggered by sending malformed SOAP requests. The vulnerability is a stack-based buffer overflow within the cwmp process. Security researchers bypassed Address Space Layout Randomization (ASLR) by brute-forcing the base address of the standard C library. Successful exploitation allows an attacker to gain full control of the router, potentially intercepting traffic, launching attacks on the local network, or adding the device to a botnet. The exploit often involves using a return-to-libc (ret2libc) technique to call the system() function with a command to download and execute a malicious binary from an attacker-controlled server.

CVE-2025-21042 is an out-of-bounds write vulnerability found in Samsung's libimagecodec.quram.so library. This library is responsible for handling image parsing and decoding on Samsung Galaxy devices. The vulnerability is triggered when processing a specially crafted image file, leading to a write operation outside the allocated memory boundaries. Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on affected devices. This can be achieved through various channels such as email attachments, messaging apps, or web browsing, where the device processes an attacker-supplied image. A patch has been released in the SMR Apr-2025 Release 1 security update to address this vulnerability.

CVE-2025-21042 is an out-of-bounds write vulnerability found in Samsung's libimagecodec.quram.so library. This library is responsible for handling image parsing and decoding on Samsung Galaxy devices. The vulnerability is triggered when processing a specially crafted image file, leading to a write operation outside the allocated memory boundaries. Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on affected devices. This can be achieved through various channels such as email attachments, messaging apps, or web browsing, where the device processes an attacker-supplied image. A patch has been released in the SMR Apr-2025 Release 1 security update to address this vulnerability.

CVE-2025-48703 is a Remote Code Execution (RCE) vulnerability found in the `filemanager` module of a web hosting control panel, such as cPanel. The vulnerability stems from improper input sanitization in the `acc=changePerm` function, which allows attackers to inject and execute arbitrary system commands using the `t_total` parameter. This vulnerability allows attackers to execute arbitrary commands on the target server. Successful exploitation could lead to establishing a reverse shell for persistent access and potentially escalating privileges or moving laterally within the system. It was reported to affect CentOS Web Panel (CWP) versions 0.9.8.1204 and 0.9.8.1188.

CVE-2025-11371 is an unauthenticated local file inclusion vulnerability found in Gladinet CentreStack and TrioFox. It exists in the default installation and configuration of these applications. The vulnerability allows attackers to read sensitive system files without authentication. Exploitation of this vulnerability has been observed in the wild. The vulnerability impacts all versions of Gladinet CentreStack and TrioFox up to and including 16.7.10368.56560. By exploiting this flaw, a threat actor can retrieve the machine key from the application's Web.config file. This key can then be used to perform remote code execution via a ViewState deserialization vulnerability.