Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
A critical remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is actively exploited, allowing unauthenticated attackers to execute arbitrary code, create admin accounts, or implant backdoors. Concurrently, an ICTBroadcast vulnerability (CVE-2025-2611) is exploited to propagate the Frost botnet, which combines DDoS attack capabilities with multi-CVE spreading mechanisms. Wordfence has blocked over 131,000 attack attempts since late November 2025, indicating active exploitation. The Frost botnet leverages exploits for at least fifteen CVEs, suggesting a sophisticated multi-vector attack campaign. The attacks appear targeted and limited in scope, focusing on vulnerable internet-exposed systems. Indicators include multiple malicious IPs and domains linked to the campaign. No patches are currently referenced, and no known threat actors are identified. The combined threat poses risks to web infrastructure, especially WordPress sites using the Sneeit Framework and ICTBroadcast installations.
AI Analysis
Technical Summary
The threat involves two primary vulnerabilities exploited in the wild: CVE-2025-6389, a critical remote code execution (RCE) flaw in the Sneeit Framework WordPress plugin, and CVE-2025-2611, a vulnerability in ICTBroadcast software. The Sneeit RCE allows unauthenticated attackers to execute arbitrary code on affected servers, enabling them to create malicious administrator accounts or inject persistent backdoors, thereby gaining full control over the compromised WordPress sites. This vulnerability has been actively exploited since at least November 24, 2025, with over 131,000 attack attempts blocked by Wordfence, indicating widespread scanning and exploitation attempts. Simultaneously, the ICTBroadcast vulnerability is exploited to spread the Frost botnet, a sophisticated DDoS botnet with spreading capabilities that leverage exploits for at least fifteen different CVEs, making it a multi-vector threat. The Frost botnet combines volumetric DDoS attacks with propagation mechanisms, increasing its potential impact and persistence. The attacks are part of a small, targeted campaign, likely due to the limited number of vulnerable internet-exposed systems. Indicators such as malicious IP addresses (e.g., 185.125.50.59, 194.104.147.192) and domains (racoonlab.top) have been identified. The threat actors remain unknown, and no official patches or mitigations have been linked yet, increasing the urgency for defensive measures. The exploitation techniques align with known tactics including initial access via exploitation (T1190), persistence (T1505.003), command execution (T1059), account manipulation (T1136.002), and DDoS attacks (T1499).
Potential Impact
European organizations running WordPress sites with the Sneeit Framework plugin or ICTBroadcast software face significant risks including full server compromise, unauthorized administrative access, and persistent backdoors. This can lead to data breaches, defacement, service disruption, and use of compromised infrastructure in DDoS attacks against other targets. The Frost botnet’s DDoS capabilities threaten availability of critical online services, potentially impacting e-commerce, government portals, and financial institutions. The multi-CVE exploitation vector increases the likelihood of lateral movement and infection spread within networks. The creation of malicious admin accounts undermines trust and complicates incident response. Given the active exploitation and high volume of attack attempts, organizations without timely detection and mitigation may suffer operational downtime and reputational damage. The targeted nature suggests attackers may focus on specific sectors or high-value targets, increasing the risk for strategic European entities.
Mitigation Recommendations
1. Immediately audit WordPress installations for the presence of the Sneeit Framework plugin and ICTBroadcast software; prioritize patching or removal if updates are unavailable. 2. Implement strict web application firewalls (WAF) with custom rules to detect and block exploitation attempts targeting CVE-2025-6389 and CVE-2025-2611. 3. Monitor logs for suspicious activities such as unauthorized admin account creation, unexpected code injections, or anomalous outbound traffic indicative of botnet activity. 4. Employ network segmentation to isolate critical infrastructure and limit lateral movement if compromise occurs. 5. Use multi-factor authentication (MFA) on all administrative accounts to reduce risk from credential theft or creation of rogue accounts. 6. Conduct regular vulnerability scans and penetration tests focusing on WordPress plugins and telephony software like ICTBroadcast. 7. Collaborate with threat intelligence providers to update detection signatures and indicators of compromise (IOCs) including the known malicious IPs and domains. 8. Prepare incident response plans specifically addressing web server compromises and botnet infections. 9. Educate administrators on the risks of installing unvetted plugins and the importance of timely updates. 10. Consider deploying endpoint detection and response (EDR) solutions to identify and remediate backdoors or malware such as Trojan.Karagany variants associated with this threat.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- ip: 185.125.50.59
- cve: CVE-2025-1610
- cve: CVE-2025-2611
- cve: CVE-2025-6389
- cve: CVE-2025-66516
- ip: 114.10.116.226
- ip: 116.234.108.143
- ip: 182.8.226.51
- ip: 194.104.147.192
- ip: 196.251.100.39
- domain: racoonlab.top
Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
Description
A critical remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is actively exploited, allowing unauthenticated attackers to execute arbitrary code, create admin accounts, or implant backdoors. Concurrently, an ICTBroadcast vulnerability (CVE-2025-2611) is exploited to propagate the Frost botnet, which combines DDoS attack capabilities with multi-CVE spreading mechanisms. Wordfence has blocked over 131,000 attack attempts since late November 2025, indicating active exploitation. The Frost botnet leverages exploits for at least fifteen CVEs, suggesting a sophisticated multi-vector attack campaign. The attacks appear targeted and limited in scope, focusing on vulnerable internet-exposed systems. Indicators include multiple malicious IPs and domains linked to the campaign. No patches are currently referenced, and no known threat actors are identified. The combined threat poses risks to web infrastructure, especially WordPress sites using the Sneeit Framework and ICTBroadcast installations.
AI-Powered Analysis
Technical Analysis
The threat involves two primary vulnerabilities exploited in the wild: CVE-2025-6389, a critical remote code execution (RCE) flaw in the Sneeit Framework WordPress plugin, and CVE-2025-2611, a vulnerability in ICTBroadcast software. The Sneeit RCE allows unauthenticated attackers to execute arbitrary code on affected servers, enabling them to create malicious administrator accounts or inject persistent backdoors, thereby gaining full control over the compromised WordPress sites. This vulnerability has been actively exploited since at least November 24, 2025, with over 131,000 attack attempts blocked by Wordfence, indicating widespread scanning and exploitation attempts. Simultaneously, the ICTBroadcast vulnerability is exploited to spread the Frost botnet, a sophisticated DDoS botnet with spreading capabilities that leverage exploits for at least fifteen different CVEs, making it a multi-vector threat. The Frost botnet combines volumetric DDoS attacks with propagation mechanisms, increasing its potential impact and persistence. The attacks are part of a small, targeted campaign, likely due to the limited number of vulnerable internet-exposed systems. Indicators such as malicious IP addresses (e.g., 185.125.50.59, 194.104.147.192) and domains (racoonlab.top) have been identified. The threat actors remain unknown, and no official patches or mitigations have been linked yet, increasing the urgency for defensive measures. The exploitation techniques align with known tactics including initial access via exploitation (T1190), persistence (T1505.003), command execution (T1059), account manipulation (T1136.002), and DDoS attacks (T1499).
Potential Impact
European organizations running WordPress sites with the Sneeit Framework plugin or ICTBroadcast software face significant risks including full server compromise, unauthorized administrative access, and persistent backdoors. This can lead to data breaches, defacement, service disruption, and use of compromised infrastructure in DDoS attacks against other targets. The Frost botnet’s DDoS capabilities threaten availability of critical online services, potentially impacting e-commerce, government portals, and financial institutions. The multi-CVE exploitation vector increases the likelihood of lateral movement and infection spread within networks. The creation of malicious admin accounts undermines trust and complicates incident response. Given the active exploitation and high volume of attack attempts, organizations without timely detection and mitigation may suffer operational downtime and reputational damage. The targeted nature suggests attackers may focus on specific sectors or high-value targets, increasing the risk for strategic European entities.
Mitigation Recommendations
1. Immediately audit WordPress installations for the presence of the Sneeit Framework plugin and ICTBroadcast software; prioritize patching or removal if updates are unavailable. 2. Implement strict web application firewalls (WAF) with custom rules to detect and block exploitation attempts targeting CVE-2025-6389 and CVE-2025-2611. 3. Monitor logs for suspicious activities such as unauthorized admin account creation, unexpected code injections, or anomalous outbound traffic indicative of botnet activity. 4. Employ network segmentation to isolate critical infrastructure and limit lateral movement if compromise occurs. 5. Use multi-factor authentication (MFA) on all administrative accounts to reduce risk from credential theft or creation of rogue accounts. 6. Conduct regular vulnerability scans and penetration tests focusing on WordPress plugins and telephony software like ICTBroadcast. 7. Collaborate with threat intelligence providers to update detection signatures and indicators of compromise (IOCs) including the known malicious IPs and domains. 8. Prepare incident response plans specifically addressing web server compromises and botnet infections. 9. Educate administrators on the risks of installing unvetted plugins and the importance of timely updates. 10. Consider deploying endpoint detection and response (EDR) solutions to identify and remediate backdoors or malware such as Trojan.Karagany variants associated with this threat.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html"]
- Adversary
- null
- Pulse Id
- 69381affff384c7c0e973a8e
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.125.50.59 | — | |
ip114.10.116.226 | — | |
ip116.234.108.143 | — | |
ip182.8.226.51 | — | |
ip194.104.147.192 | — | |
ip196.251.100.39 | — |
Cve
| Value | Description | Copy |
|---|---|---|
cveCVE-2025-1610 | — | |
cveCVE-2025-2611 | — | |
cveCVE-2025-6389 | — | |
cveCVE-2025-66516 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainracoonlab.top | — |
Threat ID: 69381cd61b76610347c61f24
Added to database: 12/9/2025, 12:57:58 PM
Last enriched: 12/9/2025, 1:02:54 PM
Last updated: 12/10/2025, 8:48:23 AM
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-12-09
MediumBroadside botnet hits TBK DVRs, raising alarms for maritime logistics
MediumReact2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics
MediumFour Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure
MediumSharpening the knife: strategic evolution of GOLD BLADE
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.