A vulnerability was found in PHPGurukul User Registration & Login and User Management 3.3 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/lastsevendays-reg-users.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-8156 is a SQL Injection vulnerability identified in PHPGurukul User Registration & Login and User Management version 3.3. The vulnerability exists in the file /admin/lastsevendays-reg-users.php, specifically through the manipulation of the 'ID' parameter. This parameter is not properly sanitized or validated, allowing an attacker to inject malicious SQL code. The vulnerability can be exploited remotely without requiring user interaction or authentication, making it accessible to unauthenticated attackers over the network. The SQL Injection flaw could allow an attacker to read, modify, or delete data within the backend database, potentially compromising user data, including sensitive registration and login information. The CVSS 4.0 base score is 5.3, indicating a medium severity level, reflecting limited impact on confidentiality, integrity, and availability, and requiring low privileges but no user interaction. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The absence of an official patch or mitigation guidance from the vendor at this time further elevates the risk for users of this software. Given the critical role of user management systems in web applications, exploitation could lead to unauthorized access, data leakage, or further compromise of the hosting environment.

CVE Database V5

Detailed information about CVE-2025-8156: SQL Injection in PHPGurukul User Registration & Login and User Management affecting PHPGurukul User Registration & Log

CVE-2025-8156: SQL Injection in PHPGurukul User Registration & Login and User Management - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-8156: SQL Injection in PHPGurukul User Registration & Login and User Management

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing malicious .HTA files via ActiveX. This method leads to silent payload downloads and ransomware deployment. The campaign uses a Clickfix-themed malware delivery site, urging victims to visit a secondary page where malicious shell commands are executed. The attackers also impersonate various streaming services and use romance-themed lures. Epsilon Red, first observed in 2021, shows some similarities to REvil ransomware in its ransom note styling but appears distinct in its tactics and infrastructure.

The threat involves a newly observed campaign by the Epsilon Red ransomware group, active since July 2025, leveraging social engineering and drive-by download techniques to infect victims globally. Attackers create fake ClickFix verification web pages that impersonate popular platforms such as Discord, Twitch, and OnlyFans, as well as various streaming services, to lure users into downloading malicious .HTA (HTML Application) files. These .HTA files exploit ActiveX controls to silently execute shell commands and download ransomware payloads without user awareness. The campaign also uses romance-themed lures to increase victim engagement. Epsilon Red ransomware, first seen in 2021, shares ransom note stylistic similarities with REvil ransomware but operates with distinct tactics and infrastructure. The infection chain starts with phishing or social engineering to convince users to run the .HTA files, which then execute commands to deploy the ransomware. Indicators of compromise include specific file hashes, malicious domains (e.g., capchabot.cc, twtich.cc), and IP addresses. The attack leverages techniques such as T1053.005 (Scheduled Task/Job), T1036 (Masquerading), T1027 (Obfuscated Files or Information), T1486 (Data Encrypted for Impact), T1059.003 (Windows Command Shell), T1189 (Drive-by Compromise), T1071.001 (Web Protocols), T1059.005 (Visual Basic), and T1204.001 (User Execution). No known exploits in the wild are reported, but the campaign relies heavily on user interaction and social engineering to succeed.

AlienVault OTX General

Detailed information about Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware. Get real-time updates, techni

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware - Live Threat Intelligence - Threat Radar | OffSeq.com

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

This report analyzes a sophisticated Android malware targeting Indian banking apps. The malware uses a dropper and main payload structure, leveraging permissions like SMS access and silent installation to steal credentials, intercept messages, and perform unauthorized financial activities. It employs Firebase for command and control, phishing pages to mimic banking interfaces, and techniques like call forwarding abuse. The malware's modular architecture, evasion tactics, and persistence mechanisms pose significant threats to mobile banking security. Distribution methods include smishing, fake websites, and malvertising. The report provides detailed static and dynamic analysis, highlighting the malware's capabilities in data exfiltration, debit card harvesting, and remote command execution.

This threat involves a sophisticated Android malware campaign impersonating Indian banking applications to target users primarily in India. The malware employs a dropper and main payload architecture, enabling it to stealthily install itself and maintain persistence on infected devices. It requests and abuses sensitive permissions such as SMS access and call forwarding, allowing it to intercept SMS messages, including OTPs, and manipulate call forwarding settings to facilitate unauthorized financial transactions and credential theft. The malware uses Firebase as its command and control (C2) infrastructure, enabling remote attackers to issue commands and update the malware modules dynamically. It also leverages phishing techniques by presenting fake banking interfaces to trick users into divulging credentials and debit card information. Distribution vectors include smishing (SMS phishing), fake websites, and malvertising campaigns, increasing the attack surface and infection rates. The modular design allows the malware to execute remote commands, harvest sensitive data, and evade detection through various persistence and evasion mechanisms. Static and dynamic analyses reveal capabilities such as data exfiltration, debit card harvesting, SMS interception, and abuse of Android call-forwarding features. Although the malware specifically targets Indian banking apps, its use of common Android features and Firebase C2 infrastructure means it could potentially be adapted to target other regions or banking institutions if threat actors choose to expand their operations.

Detailed information about Android Malware Posing As Indian Bank Apps. Get real-time updates, technical details, and mitigation strategies.

Android Malware Posing As Indian Bank Apps - Live Threat Intelligence - Threat Radar | OffSeq.com

Android Malware Posing As Indian Bank Apps

Koske, a new AI-Generated Linux malware appears in the threat landscape

Source: https://securityaffairs.com/180355/malware/koske-a-new-ai-generated-linux-malware-appears-in-the-threat-landscape.html

Koske is a newly identified Linux malware that has recently appeared in the cybersecurity threat landscape. What distinguishes Koske is that it is reportedly AI-generated, indicating that artificial intelligence techniques were leveraged in its creation, potentially to enhance its evasion capabilities, adaptability, or automation in attack processes. Although detailed technical specifics about its payload, propagation methods, or command and control infrastructure are not provided, the emergence of AI-generated malware represents a significant evolution in threat sophistication. Linux malware typically targets servers, cloud infrastructure, and IoT devices running Linux-based operating systems. The lack of known exploits in the wild and minimal discussion on Reddit suggest that Koske is either in early discovery stages or has limited deployment so far. The medium severity rating implies that while it may not be immediately critical, it poses a credible threat that could impact Linux environments if it evolves or is adopted by threat actors. The absence of affected versions and patch links indicates that Koske may be a new strain without specific vulnerabilities being exploited but rather a standalone malicious software. The AI-generation aspect could mean the malware is capable of polymorphic behavior, making detection by traditional signature-based antivirus solutions challenging. This development underscores the need for advanced behavioral detection and proactive threat hunting in Linux environments.

Reddit InfoSec News

Detailed information about Koske, a new AI-Generated Linux malware appears in the threat landscape. Get real-time updates, technical details, and mitigation str

Koske, a new AI-Generated Linux malware appears in the threat landscape - Live Threat Intelligence - Threat Radar | OffSeq.com

Koske, a new AI-Generated Linux malware appears in the threat landscape

Reddit Discussion: Koske, a new AI-Generated Linux malware appears in the threat landscape

JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application.

Detailed information about CVE-2025-43712: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-43712: n/a

CVE-2025-43712: n/a

Description

Technical Details

Related Threats

CVE-2025-8156: SQL Injection in PHPGurukul User Registration & Login and User Management

CVE-2025-8155: Cross Site Scripting in D-Link DCS-6010L

How we Rooted Copilot

CVE-2025-5254: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Kron Technologies Kron PAM

CVE-2025-5253: CWE-770 Allocation of Resources Without Limits or Throttling in Kron Technologies Kron PAM

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility