PoC Week 2025-05-26

Posted on May 26, 2025

The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2025-31324

  • Severity: 9.8 CRITICAL
  • Impacted Products: SAP NetWeaver Visual Composer Metadata Uploader
  • Description: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-31324
  • PoC: https://github.com/nullcult/CVE-2025-31324-File-Upload/

CVE-2025-4978

  • Severity: 9.3 CRITICAL
  • Impacted Products: Netgear DGND3700 1.1.00.15_1.00.15NA
  • Description: This affects an unknown part of the file /BRS_top.html of the component Basic Authentication. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other products might be affected as well. The vendor was contacted early about this disclosure.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-4978
  • PoC: https://github.com/at0de/my_vulns/blob/main/Netgear/DGND3700v2/backdoor.md

CVE-2025-47916

  • Severity: 9.3 CRITICAL
  • Impacted Products: Invision Community 5.0.0 before 5.0.7
  • Description: Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-47916
  • PoC: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/invision_customcss_rce.rb

CVE-2025-46724

  • Severity: 9.8 CRITICAL
  • Impacted Products: Langroid < 0.53.15
  • Description: Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, TableChatAgent uses pandas eval(). If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection. Langroid 0.53.15 sanitizes input to TableChatAgent by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-46724
  • PoC: https://github.com/advisories/GHSA-jqq5-wc57-f8hj

CVE-2025-4664

  • Severity: 4.3 MEDIUM
  • Impacted Products: Google Chrome prior to 136.0.7103.113
  • Description: Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-4664
  • PoC: https://x.com/slonser_/status/1919439380512469315

CVE-2025-4632

CVE-2025-45857

CVE-2025-4427 & CVE-2025-4428

  • Severity: 7.5 HIGH
  • Impacted Products: Ivanti Endpoint Manager Mobile 12.5.0.0
  • Description: An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-4427 & NVD - CVE-2025-4428
  • PoC: https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/

CVE-2024-46506

References

This list was scraped from the quite amazing and highly recommended newsletters below:

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.