Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

Check Point Research

AlienVault OTX General

CVE Database V5

SANS ISC Handlers Diary

SecurityWeek

Threatpost

The Hacker News

Exploit-DB RSS Feed

CIRCL OSINT Feed

ThreatFox MISP Feed

Kaspersky Security Blog

Reddit NetSec

Reddit InfoSec News

Dark Reading

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A critical remote code execution (RCE) vulnerability (CVE-2026-0625) affects legacy D-Link DSL routers via command injection in the dnscfg. cgi endpoint due to improper sanitization of DNS configuration parameters. This flaw allows unauthenticated attackers to execute arbitrary shell commands remotely, enabling full control over DNS settings without credentials or user interaction. Exploitation can lead to DNS hijacking, redirecting or intercepting traffic for all devices behind the compromised router. The affected models, including DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, are end-of-life and unpatchable, increasing operational risk. Active exploitation attempts were observed as early as November 2025. D-Link is investigating affected firmware variants but no reliable detection method exists beyond direct firmware inspection. European organizations using these legacy devices face significant threats to network integrity and confidentiality. Immediate device replacement and network segmentation are critical to mitigate risks.

The vulnerability CVE-2026-0625 is a critical remote code execution flaw discovered in legacy D-Link DSL gateway routers, specifically models DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, produced between 2016 and 2019. The root cause is a command injection vulnerability in the dnscfg.cgi endpoint, which handles DNS configuration parameters without proper input sanitization. This allows an unauthenticated remote attacker to inject arbitrary shell commands, leading to full remote code execution on the device. The exploitation vector requires no authentication or user interaction, making it highly accessible to attackers scanning for vulnerable devices. The vulnerability enables attackers to alter DNS settings, effectively hijacking DNS traffic to redirect, intercept, or block communications for all downstream devices connected to the compromised router. This can facilitate persistent man-in-the-middle attacks, data interception, and malware distribution. The affected routers have reached end-of-life status, and no official patches are available, complicating remediation efforts. Active exploitation campaigns were detected by Shadowserver Foundation in late 2025, indicating real-world threat activity. D-Link is conducting a firmware-level review to identify all impacted models, but detection is challenging due to firmware variations. The vulnerability leverages a previously known DNSChanger attack vector, emphasizing the risk of large-scale DNS hijacking campaigns. Organizations still operating these legacy devices face elevated operational and security risks due to the inability to patch or secure these routers effectively.

Detailed information about Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers. Get real-time updates, technical details, and mit

Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers - Live Threat Intelligence - Threat Radar | OffSeq.com

Original Source

Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers

CVE-2026-0650 is a critical authentication bypass vulnerability in OpenFlagr's Flagr product versions up to 1. 1. 18. The flaw arises from improper path normalization in the HTTP middleware whitelist logic, allowing crafted requests to circumvent authentication. Attackers can access protected API endpoints without credentials, potentially modifying feature flags and exporting sensitive data. This vulnerability has a CVSS 4. 0 score of 9. 3, indicating high impact and ease of exploitation without user interaction or privileges. No known exploits are currently reported in the wild. European organizations using Flagr for feature flag management face significant risks to confidentiality, integrity, and availability.

CVE-2026-0650 is a critical vulnerability identified in OpenFlagr's Flagr product, affecting all versions up to and including 1.1.18. The root cause is an authentication bypass due to improper handling of path normalization within the HTTP middleware's whitelist logic. Specifically, the middleware fails to correctly normalize request paths, enabling attackers to craft specially formed HTTP requests that bypass authentication checks. This allows unauthorized users to access protected API endpoints that should require valid credentials. The exposed endpoints can be used to modify feature flags, which control application behavior, and to export sensitive data stored or managed by Flagr. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-425 (Direct Request ('Forced Browsing')). The CVSS 4.0 base score is 9.3, reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the ease of exploitation and critical nature of the flaw make it a significant threat. The vulnerability was published on January 7, 2026, and no official patches have been linked yet, indicating that affected organizations must apply mitigations or monitor for updates closely.

Detailed information about CVE-2026-0650: CWE-306 Missing Authentication for Critical Function in OpenFlagr Flagr affecting OpenFlagr Flagr. Get real-time updat

CVE-2026-0650: CWE-306 Missing Authentication for Critical Function in OpenFlagr Flagr - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-0650: CWE-306 Missing Authentication for Critical Function in OpenFlagr Flagr

A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the argument SZCMD results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-15471 is a remote OS command injection vulnerability identified in TRENDnet TEW-713RE routers running firmware version 1.02. The vulnerability resides in an unspecified function accessed via the /goformX/formFSrvX endpoint, where the SZCMD parameter is improperly sanitized, allowing attackers to inject arbitrary operating system commands. This flaw can be exploited remotely without any authentication or user interaction, making it highly accessible to attackers. The CVSS 4.0 base score of 9.3 reflects the critical nature of this vulnerability, with a vector indicating network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. The vendor was informed early but has not issued any patches or advisories, and a public exploit has been released, increasing the risk of widespread exploitation. Successful exploitation could lead to full device compromise, enabling attackers to execute arbitrary commands, potentially pivot within networks, intercept or manipulate traffic, and disrupt services. The lack of vendor response and patch availability exacerbates the threat, leaving affected devices exposed. The vulnerability primarily impacts the TRENDnet TEW-713RE model, commonly used in small office/home office environments, which may be deployed in various organizational contexts including European enterprises and critical infrastructure.

Detailed information about CVE-2025-15471: OS Command Injection in TRENDnet TEW-713RE affecting TRENDnet TEW-713RE. Get real-time updates, technical details, an

CVE-2025-15471: OS Command Injection in TRENDnet TEW-713RE - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-15471: OS Command Injection in TRENDnet TEW-713RE

Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5.

CVE-2025-30996 is a critical security vulnerability categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting multiple Themify WordPress themes including Sidepane, Newsy, Folo, Edmin, Bloggie, Photobox, Wigi, Rezo, and Slide. The vulnerability allows an attacker with low privileges (authenticated user) to upload files without proper validation of their type, enabling the upload of malicious web shells to the web server hosting the WordPress site. This can lead to remote code execution, allowing attackers to execute arbitrary commands, escalate privileges, and potentially take full control of the affected server. The vulnerability affects all versions of these themes up to the latest specified (e.g., Sidepane through 1.9.8, Newsy through 1.9.9, etc.). The CVSS v3.1 base score is 9.9, reflecting the critical nature of this flaw with attack vector network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and scope changed (S:C), impacting confidentiality, integrity, and availability at a high level (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a prime target for attackers seeking to compromise WordPress sites using these themes. The lack of official patches or updates linked in the provided data suggests that affected organizations must implement interim mitigations. The root cause is insufficient validation of uploaded file types, allowing dangerous files such as PHP web shells to be uploaded and executed. This vulnerability is particularly dangerous because WordPress sites are often internet-facing and widely used, increasing the attack surface. The affected themes are popular within the WordPress ecosystem, increasing the potential scope of impact. Attackers exploiting this vulnerability can gain persistent access, exfiltrate sensitive data, deface websites, or use compromised servers as pivot points for further attacks.

Detailed information about CVE-2025-30996: CWE-434 Unrestricted Upload of File with Dangerous Type in Themify Themify Sidepane WordPress Theme affecting Themify

CVE-2025-30996: CWE-434 Unrestricted Upload of File with Dangerous Type in Themify Themify Sidepane WordPress Theme - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-30996: CWE-434 Unrestricted Upload of File with Dangerous Type in Themify Themify Sidepane WordPress Theme

wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.

CVE-2025-14942 is a critical security vulnerability classified under CWE-287 (Improper Authentication) affecting the wolfSSH library, a component of the wolfSSL suite widely used for embedded SSH communications. The vulnerability arises from flaws in the key exchange state machine within wolfSSH versions 1.4.21 and earlier. An attacker can manipulate the state machine to cause the client to leak its password in plaintext, send a bogus cryptographic signature, or bypass user authentication entirely. This means that an attacker positioned as a man-in-the-middle or with network access can intercept or manipulate the SSH handshake to compromise authentication mechanisms. Although the primary impact is on client applications, server applications using wolfSSH share the same defect, posing a risk even if no active attacks have been reported against servers yet. The vulnerability requires no privileges and no user interaction, making exploitation straightforward in vulnerable environments. The CVSS 4.0 score of 9.4 reflects the high impact on confidentiality (password leakage), integrity (bogus signatures), and availability (authentication bypass). The flaw undermines the fundamental trust model of SSH connections, potentially allowing unauthorized access and credential compromise. The vulnerability was responsibly disclosed by security researchers from Valeo and Telecom SudParis. Immediate remediation involves updating wolfSSH to patched versions or applying vendor-provided fixes and rotating any credentials used during the vulnerable period.

Detailed information about CVE-2025-14942: CWE-287 Improper Authentication in wolfSSL wolfSSH affecting wolfSSL wolfSSH. Get real-time updates, technical detail

CVE-2025-14942: CWE-287 Improper Authentication in wolfSSL wolfSSH - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-14942: CWE-287 Improper Authentication in wolfSSL wolfSSH

Improper host authentication vulnerability in wolfSSH version 1.4.20 and earlier clients that allows authentication bypass and leaking of clients credentials.

CVE-2025-11625 is a vulnerability classified under CWE-287 (Improper Authentication) affecting wolfSSH, a secure shell client component of the wolfSSL embedded SSL/TLS library. The vulnerability exists in wolfSSH versions 1.4.20 and earlier, where improper host authentication allows an attacker to bypass normal authentication mechanisms. This flaw enables attackers to impersonate legitimate hosts or intercept and leak client credentials during the SSH handshake process. The vulnerability does not require any prior privileges or authentication and can be triggered remotely over the network, making it highly exploitable. The CVSS v4.0 score of 9.4 reflects its critical severity, with attack vector being network-based, low attack complexity, no privileges required, but user interaction is needed. The impact covers confidentiality, integrity, and availability, as attackers can gain unauthorized access, manipulate data, or disrupt communications. wolfSSH is commonly used in embedded systems, IoT devices, and industrial control systems due to its lightweight footprint, increasing the risk to critical infrastructure and devices with limited update capabilities. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity warrant immediate attention from users and vendors. The absence of a patch link suggests that a fix is pending or in development, emphasizing the need for proactive mitigation.

Detailed information about CVE-2025-11625: CWE-287 Improper Authentication in wolfSSL wolfSSH affecting wolfSSL wolfSSH. Get real-time updates, technical detail

CVE-2025-11625: CWE-287 Improper Authentication in wolfSSL wolfSSH - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-11625: CWE-287 Improper Authentication in wolfSSL wolfSSH

Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8.

CVE-2025-39477 is a critical security vulnerability classified under CWE-862 (Missing Authorization) affecting the Sfwebservice InWave Jobs product up to version 3.5.8. The vulnerability arises from improperly configured access control security levels within the InWave Jobs web service component, which fails to enforce authorization checks correctly. This misconfiguration allows unauthenticated remote attackers to perform unauthorized actions that should be restricted, potentially accessing sensitive data, modifying job-related information, or disrupting service availability. The CVSS 3.1 base score of 9.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, combined with its ease of exploitation (network vector, no privileges or user interaction required). Although no public exploits have been reported yet, the vulnerability's nature suggests that attackers could leverage it to gain unauthorized access to internal HR or recruitment data, manipulate job postings, or cause denial of service. The lack of available patches at the time of publication necessitates immediate attention to access control policies and network defenses to mitigate risk. The vulnerability's presence in a widely used job management system underscores the importance of secure authorization mechanisms in web services handling sensitive organizational data.

Detailed information about CVE-2025-39477: CWE-862 Missing Authorization in Sfwebservice InWave Jobs affecting Sfwebservice InWave Jobs. Get real-time updates, 

CVE-2025-39477: CWE-862 Missing Authorization in Sfwebservice InWave Jobs - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-39477: CWE-862 Missing Authorization in Sfwebservice InWave Jobs

Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials.

CVE-2025-60534 identifies a critical authentication bypass vulnerability in Blue Access Cobalt version 02.000.195. The vulnerability allows an attacker to selectively proxy requests to the web application, effectively bypassing the authentication mechanism. This means that an attacker can perform actions and access functionalities within the application without needing legitimate user credentials. The technical details specify that the attacker can manipulate request flows to operate the application as if authenticated, which can lead to unauthorized access to sensitive data or unauthorized operations. The vulnerability was reserved in late September 2025 and published in early January 2026, but no CVSS score has been assigned yet, and no public exploits have been reported. The lack of a patch link suggests that a fix may not yet be available, increasing the urgency for organizations to monitor and prepare mitigations. The absence of user interaction requirements and the ability to bypass authentication make this vulnerability particularly dangerous, as it lowers the barrier for exploitation. However, the exact affected versions beyond the stated version and the full scope of impacted functionalities are not detailed, which complicates precise risk assessment. The vulnerability's exploitation could compromise confidentiality and integrity of data and potentially availability if critical functions are manipulated.

Detailed information about CVE-2025-60534: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-60534: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-60534: n/a

An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote attackers could gain root-level control over the devices.

CVE-2025-60262 is a critical security vulnerability identified in specific H3C wireless networking devices, namely the M102G HM1A0V200R010 wireless controller and the BA1500L SWBA1A0V100R006 wireless access point. The root cause is a misconfiguration in the vsftpd (Very Secure FTP Daemon) service running on these devices. Specifically, files uploaded anonymously via the FTP protocol are automatically assigned root ownership, which is a severe security flaw. This misconfiguration allows remote attackers to upload malicious files that gain root-level privileges on the device without requiring authentication or user interaction. Once an attacker uploads a file, they effectively gain full administrative control over the device, enabling them to manipulate configurations, intercept or redirect network traffic, or use the device as a foothold for further network compromise. The vulnerability is particularly dangerous because it leverages a common service (FTP) that may be enabled for legitimate purposes, and anonymous uploads are often overlooked in security assessments. No CVSS score has been assigned yet, and no patches or mitigations have been officially released by H3C. There are no known exploits in the wild, but the ease of exploitation and the critical impact on device integrity make this vulnerability a high priority for security teams. The lack of version specifics suggests the issue may affect all firmware versions running the vulnerable vsftpd configuration. This vulnerability highlights the importance of secure FTP configurations and strict access controls on network infrastructure devices.

Detailed information about CVE-2025-60262: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-60262: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-60262: n/a

An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page.

The vulnerability identified as CVE-2025-65212 affects NJHYST HY511 POE core devices and associated plugins prior to versions 2.1 and 0.1 respectively. The root cause is insufficient cookie verification in the device's web management interface. This flaw allows an attacker to bypass the login authentication by directly requesting the URL of the core configuration file. Since the device does not properly validate the requester's session or cookies, the attacker can download the configuration file without any credentials. The configuration file contains sensitive information including usernames and passwords, where the passwords are stored as self-decrypted MD5 hashes. By extracting these credentials, the attacker can log in to the backend management interface, effectively bypassing the front-end login page. This leads to unauthorized administrative access, enabling potential configuration changes, device control, or further lateral movement within the network. The vulnerability does not require prior authentication or user interaction, increasing its risk. Although no public exploits have been reported yet, the flaw's nature suggests it could be exploited remotely by anyone with network access to the device management interface. The lack of a CVSS score indicates the need for a severity assessment based on impact and exploitability factors. The vulnerability impacts confidentiality (exposure of credentials), integrity (unauthorized configuration changes), and potentially availability if the attacker disrupts device operation. The affected devices are typically used in network infrastructure environments, making this a critical concern for organizations relying on NJHYST hardware. No official patches or mitigations are currently listed, emphasizing the need for immediate defensive measures.

Detailed information about CVE-2025-65212: n/a. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Critical Severity Threats

Stop chasing alerts. Route them.

Filter Threats

Filtered Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility