Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

Kaspersky Security Blog

Check Point Research

Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

SANS ISC Handlers Diary

SecurityWeek

Threatpost

Dark Reading

Exploit-DB RSS Feed

The Hacker News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A SQL Injection vulnerability on an endpoint in BEIMS Contractor Web, a legacy product that is no longer maintained or patched by the vendor, allows an unauthorised user to retrieve sensitive database contents via unsanitized parameter input. This vulnerability occurs due to improper input validation on /BEIMSWeb/contractor.asp endpoint and successful exploitation requires a contractor.asp endpoint open to the internet. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity and potentially the availability of the database. 





Version 5.7.139

 has been confirmed as vulnerable. Other versions have not been confirmed by the vendor and users should assume that all versions of BEIMS Contractor Web may be impacted until further guidance is provided by the vendor.

CVE-2025-10460 is a SQL Injection vulnerability classified under CWE-20 (Improper Input Validation) affecting BEIMS Contractor Web, specifically version 5.7.139. The vulnerability exists due to the failure to properly sanitize user-supplied input on the /BEIMSWeb/contractor.asp endpoint. This flaw allows unauthenticated attackers to inject arbitrary SQL commands directly into the backend database queries. Because the product is legacy and no longer maintained or patched by the vendor, no official fixes or updates are available, increasing the risk for users still running this software. Successful exploitation can lead to unauthorized data retrieval, modification, or deletion, impacting confidentiality, integrity, and availability of the database. The vulnerability requires the endpoint to be accessible over the internet, which is common in contractor-facing web applications. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:L/SA:N) indicates network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality and integrity. While no exploits have been reported in the wild yet, the critical severity and ease of exploitation make this a high-risk vulnerability for affected organizations.

Detailed information about CVE-2025-10460: CWE-20 Improper Input Validation in BEIMS Contractor Web affecting BEIMS Contractor Web. Get real-time updates, techn

CVE-2025-10460: CWE-20 Improper Input Validation in BEIMS Contractor Web - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-10460: CWE-20 Improper Input Validation in BEIMS Contractor Web

The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/

The RondoDox botnet malware has been observed exploiting a critical vulnerability in XWiki instances identified as CVE-2025-24893, an eval injection flaw with a CVSS score of 9.8. This vulnerability allows unauthenticated guest users to perform arbitrary remote code execution by sending crafted requests to the /bin/get/Main/SolrSearch endpoint. The flaw was patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025. Despite the availability of patches, exploitation attempts have increased sharply since late 2025, with a notable spike in early November. Multiple threat actors, including RondoDox, have weaponized this vulnerability to deploy cryptocurrency miners, establish reverse shells, and conscript devices into a botnet used for distributed denial-of-service (DDoS) attacks leveraging HTTP, UDP, and TCP protocols. The attack chain is two-staged, initially compromising the server and then deploying secondary payloads. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the severity by adding it to their Known Exploited Vulnerabilities catalog, requiring remediation by November 20, 2025. The widespread scanning activity and rapid adoption by various malicious actors underscore the critical need for timely patching and proactive defense measures. The vulnerability's ease of exploitation, lack of authentication requirements, and potential for full system compromise make it a high-risk threat for organizations using XWiki, especially those with internet-facing instances.

Detailed information about RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet. Get real-time updates, technical details, and mitigat

RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet - Live Threat Intelligence - Threat Radar | OffSeq.com

Original Source

RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet

The Akira ransomware group has been experimenting with new tools, bugs, and attack surfaces, with demonstrated success in significant sectors.

The Akira ransomware group, operating as a ransomware-as-a-service (RaaS) entity, has been experimenting with new attack tools, bugs, and surfaces, recently focusing on Nutanix virtual machines (VMs). Nutanix is a leading provider of hyperconverged infrastructure (HCI) solutions that integrate compute, storage, and virtualization resources, widely adopted in enterprise data centers and cloud environments. Akira’s targeting of Nutanix VMs suggests exploitation of vulnerabilities or misconfigurations within Nutanix’s virtualization stack or management interfaces, potentially allowing attackers to deploy ransomware payloads that encrypt critical virtualized workloads. Although no specific affected versions or publicly known exploits have been disclosed, the critical severity rating reflects the high impact potential of such attacks, including widespread disruption of virtualized services, data loss, and operational downtime. The group’s experimentation with new tools indicates evolving tactics that may bypass traditional defenses. The threat is particularly concerning for organizations with heavy reliance on Nutanix infrastructure, as ransomware on VMs can propagate rapidly across virtual networks and storage, complicating recovery efforts. The lack of patches or detailed technical indicators necessitates proactive defensive measures focused on hardening Nutanix environments, monitoring for anomalous activity, and ensuring robust backup and recovery strategies. The threat landscape is dynamic, and Akira’s demonstrated success in significant sectors underscores the urgency for targeted mitigation.

Detailed information about Akira RaaS Targets Nutanix VMs, Threatens Critical Orgs. Get real-time updates, technical details, and mitigation strategies.

Akira RaaS Targets Nutanix VMs, Threatens Critical Orgs - Live Threat Intelligence - Threat Radar | OffSeq.com

Akira RaaS Targets Nutanix VMs, Threatens Critical Orgs

General Industrial Controls Lynx+ Gateway 
 is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device.

CVE-2025-58083 identifies a critical security vulnerability in the embedded web server of the General Industrial Controls Lynx+ Gateway, a device commonly used in industrial control systems (ICS). The vulnerability is classified under CWE-306, which denotes missing authentication. Specifically, the embedded web server does not enforce authentication mechanisms, allowing any remote attacker to access sensitive management functions without credentials. This lack of authentication enables attackers to remotely reset the device, which can disrupt operations, cause denial of service, or potentially serve as a foothold for further attacks within the industrial network. The affected product versions include R08, V03, V05, and V18, indicating a broad impact across multiple firmware releases. The vulnerability has a CVSS v3.1 base score of 10.0, reflecting its critical nature with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and complete impact on confidentiality (C:H), integrity (I:H), and availability (A:H). Although no exploits have been reported in the wild yet, the vulnerability’s characteristics make it highly exploitable. The device’s role in industrial environments means exploitation could lead to operational downtime, safety risks, and potential cascading failures in critical infrastructure. The absence of patches at the time of disclosure necessitates immediate risk mitigation through network-level controls and monitoring. This vulnerability highlights the importance of robust authentication in embedded web interfaces within ICS devices to prevent unauthorized access and control.

Detailed information about CVE-2025-58083: CWE-306 in General Industrial Controls Lynx+ Gateway affecting General Industrial Controls Lynx+ Gateway. Get real-ti

CVE-2025-58083: CWE-306 in General Industrial Controls Lynx+ Gateway - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-58083: CWE-306 in General Industrial Controls Lynx+ Gateway

Cybersecurity researchers have uncovered critical remote code execution vulnerabilities impacting major artificial intelligence (AI) inference engines, including those from Meta, Nvidia, Microsoft, and open-source PyTorch projects such as vLLM and SGLang. "These vulnerabilities all traced back to the same root cause: the overlooked unsafe use of ZeroMQ (ZMQ) and Python's pickle deserialization,"

Researchers have identified critical remote code execution (RCE) vulnerabilities affecting several prominent AI inference engines, including Meta's Llama framework, Nvidia's TensorRT-LLM, Microsoft's Sarathi-Serve, and open-source PyTorch-based projects like vLLM and SGLang. The vulnerabilities stem from an unsafe deserialization pattern involving Python's pickle module used in conjunction with ZeroMQ (ZMQ) sockets exposed over the network without authentication. Specifically, the use of ZeroMQ's recv_pyobj() method deserializes incoming data using pickle, which is inherently unsafe when processing untrusted input. This pattern, termed ShadowMQ, originated in Meta's Llama framework (CVE-2024-50050) and propagated through code reuse and copy-pasting across multiple projects. Some vulnerabilities have been assigned CVEs with high CVSS scores (6.3 to 8.8), while others remain unpatched or partially fixed. Exploitation allows attackers to execute arbitrary code remotely on AI inference nodes, potentially leading to privilege escalation, model theft, and deployment of malicious payloads such as cryptocurrency miners. The widespread reuse of vulnerable code amplifies the risk, as multiple AI frameworks share the same insecure deserialization logic. The issue highlights the dangers of rapid AI development and code sharing without adequate security review. Additionally, related threats include JavaScript injection attacks in AI-powered IDEs, emphasizing the broader attack surface in AI ecosystems. The vulnerabilities underscore the need for secure deserialization practices, network authentication, and rigorous code audits in AI infrastructure.

Detailed information about Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks. Get real-time updates, technical details,

Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks - Live Threat Intelligence - Threat Radar | OffSeq.com

Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks

A vulnerability was detected in D-Link DIR-816L 2_06_b09_beta. Affected by this vulnerability is the function authenticationcgi_main of the file /authentication.cgi. Performing manipulation of the argument Password results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CVE-2025-13188 is a stack-based buffer overflow vulnerability identified in the D-Link DIR-816L router firmware version 2_06_b09_beta. The vulnerability resides in the authenticationcgi_main function within the /authentication.cgi endpoint, which processes authentication requests. By manipulating the Password parameter in the HTTP request, an attacker can overflow the stack buffer, potentially overwriting control data such as return addresses. This can lead to arbitrary code execution on the device remotely, without requiring any authentication or user interaction. The vulnerability is remotely exploitable over the network, making it highly dangerous. The CVSS 4.0 vector indicates no privileges or user interaction are needed, with high impact on confidentiality, integrity, and availability. Despite the exploit being publicly available, the affected product is no longer supported by D-Link, and no official patches or firmware updates have been released. This leaves devices running this firmware version exposed if accessible from untrusted networks. The vulnerability could allow attackers to take full control of the router, intercept or manipulate network traffic, or launch further attacks within the network. The lack of vendor support complicates remediation, requiring alternative mitigation strategies.

Detailed information about CVE-2025-13188: Stack-based Buffer Overflow in D-Link DIR-816L affecting D-Link DIR-816L. Get real-time updates, technical details, a

CVE-2025-13188: Stack-based Buffer Overflow in D-Link DIR-816L - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-13188: Stack-based Buffer Overflow in D-Link DIR-816L

Security firms say the flaw has been actively exploited for weeks, even as Fortinet quietly shipped fixes and CISA added the bug to its KEV catalog. The post Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability appeared first on SecurityWeek .

The reported security threat concerns a critical vulnerability in Fortinet's FortiWeb product line, a web application firewall (WAF) designed to protect web applications from attacks such as SQL injection, cross-site scripting, and other OWASP Top 10 threats. The vulnerability has been actively exploited in the wild for several weeks, as confirmed by Fortinet and reported by security firms. Although Fortinet has quietly shipped patches, the exploitation continues, indicating that many organizations have yet to apply the fixes or that the vulnerability is being leveraged in sophisticated attacks. The flaw's technical details are not fully disclosed in the provided information, but the critical severity suggests it allows attackers to bypass security controls, execute arbitrary code, or gain unauthorized access to sensitive data. The inclusion of this vulnerability in CISA's Known Exploited Vulnerabilities (KEV) catalog highlights its significance and the urgency for remediation. The lack of a CVSS score limits precise quantification of risk, but the active exploitation and critical rating imply a high-impact threat. FortiWeb's role as a frontline defense for web applications means that successful exploitation could lead to data breaches, service disruptions, or further network compromise. The absence of known exploits in the provided data may indicate recent discovery or limited public exploit availability, but active exploitation confirms real-world impact. Organizations relying on FortiWeb should consider this vulnerability a top priority for patching and incident response.

Detailed information about Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability. Get real-time updates, technical details, and mitigation st

Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability - Live Threat Intelligence - Threat Radar | OffSeq.com

Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability

A critical vulnerability has been identified in Imunify360, a widely used security solution for web hosting servers, putting millions of websites at risk. Although no known exploits are currently observed in the wild, the flaw's critical severity suggests potential for significant compromise if weaponized. The vulnerability could allow attackers to bypass security controls, potentially leading to unauthorized access, data breaches, or service disruption. European organizations relying on Imunify360 for server protection may face increased risk, especially those in countries with large hosting infrastructures. Immediate attention is required to monitor for patches and apply mitigations proactively. The threat's exploitation ease and broad impact potential justify a high severity rating. Defenders should prioritize vulnerability scanning, network segmentation, and enhanced monitoring for suspicious activity related to Imunify360 components. Countries with significant web hosting markets and cloud service providers, such as Germany, the UK, France, and the Netherlands, are likely to be most affected. Given the critical nature and potential impact on confidentiality, integrity, and availability, this vulnerability demands urgent mitigation efforts even in the absence of active exploits. Organizations should also engage with vendors and security communities to track developments and patch releases.

Imunify360 is a comprehensive security platform widely deployed in web hosting environments to protect servers from malware, exploits, and unauthorized access. A recently disclosed critical vulnerability in Imunify360 threatens millions of websites that depend on this solution for security. Although specific technical details and affected versions are not provided, the critical severity indicates that the flaw could allow attackers to bypass security mechanisms, potentially leading to remote code execution, privilege escalation, or unauthorized access to sensitive data. The lack of known exploits in the wild suggests that the vulnerability is either newly discovered or not yet weaponized, but the risk remains high due to the widespread deployment of Imunify360 in hosting infrastructures globally. The vulnerability was reported via a Reddit InfoSec news post linking to a security affairs article, highlighting the urgency and newsworthiness of the issue. The absence of patch links implies that fixes may not yet be publicly available, increasing the window of exposure. Given Imunify360's role in defending Linux-based hosting servers, exploitation could compromise web servers, leading to data breaches, defacement, or service outages. The minimal discussion and low Reddit score indicate early-stage awareness, underscoring the need for rapid information sharing and vendor response. Organizations using Imunify360 should closely monitor official channels for patches and advisories while implementing compensating controls to reduce attack surface and detect anomalous activity.

Detailed information about Millions of sites at risk from Imunify360 critical flaw exploit. Get real-time updates, technical details, and mitigation strategies.

Millions of sites at risk from Imunify360 critical flaw exploit - Live Threat Intelligence - Threat Radar | OffSeq.com

Millions of sites at risk from Imunify360 critical flaw exploit

Reddit Discussion: Millions of sites at risk from Imunify360 critical flaw exploit

An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges.

CVE-2025-54343 identifies an Incorrect Access Control vulnerability within the Application Server of Desktop Alert PingAlert versions 6.1.0.11 through 6.1.1.2. This flaw allows remote attackers to escalate privileges, meaning they can gain higher-level access rights than intended by exploiting improper enforcement of access controls. The vulnerability arises because the application server fails to correctly verify or restrict access to sensitive functions or data, enabling unauthorized users to perform actions reserved for privileged accounts. Although no public exploits have been reported, the remote nature of the attack vector increases the risk of exploitation, especially in environments where the application server is exposed to untrusted networks. The lack of a CVSS score indicates that the vulnerability is newly published and has not yet undergone formal severity assessment. However, the potential for privilege escalation without authentication or user interaction suggests a significant security risk. The affected versions are limited to a narrow range of PingAlert releases, which helps in targeted mitigation. The vulnerability impacts confidentiality by potentially exposing sensitive information, integrity by allowing unauthorized changes, and availability if attackers disrupt services or lock out legitimate users. The absence of patches or mitigation details in the provided data highlights the need for immediate vendor engagement and proactive defensive measures.

Detailed information about CVE-2025-54343: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-54343: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-54343: n/a

CVE-2025-54339 identifies an Incorrect Access Control vulnerability within the Application Server of Desktop Alert PingAlert versions 6.1.0.11 to 6.1.1.2. This vulnerability arises from improper enforcement of access restrictions, allowing remote attackers to escalate their privileges on the affected system. The Application Server component is responsible for managing alert distribution and communication, making it a critical part of the software's infrastructure. By exploiting this flaw, an attacker could gain unauthorized elevated access, potentially leading to unauthorized configuration changes, data exposure, or disruption of alerting services. The vulnerability does not require user interaction and can be exploited remotely, increasing its risk profile. No CVSS score has been assigned yet, and no public exploits are known, but the potential impact on confidentiality, integrity, and availability is significant. The lack of available patches at the time of reporting necessitates immediate risk mitigation through network segmentation and access control policies. This vulnerability is particularly concerning for organizations relying on Desktop Alert PingAlert for emergency communications and operational alerts, as unauthorized privilege escalation could undermine the reliability and security of these critical notifications.

Detailed information about CVE-2025-54339: n/a. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Critical Severity Threats

Own the pro-grade threat console forever with one upgrade.

Filter Threats

Scan a website for live threats in under a minute

Filtered Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility