tonyharris.io

PoC Week 2025-07-21

Posted on Jul 21, 2025

The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2025-5777

CVE-2025-49812

  • Severity: 10.0 CRITICAL
  • Impacted Products: Wing FTP Server before 7.4.4
  • Description: In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle ‘\0’ bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-49812
  • PoC: https://github.com/4m3rr0r/CVE-2025-47812-poc

CVE-2025-52376

  • Severity: 10.0 CRITICAL
  • Impacted Products: Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below
  • Description: An authentication bypass vulnerability in the /web/um-open-telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server is then accessible with hard-coded credentials, allowing attackers to gain administrative shell access and execute arbitrary commands on the device.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-52376
  • PoC: https://github.com/Vagebondcur/nexxt-solutions-NCM-X1800-exploits/tree/main/CVE-2025-52376

CVE-2025-7340

  • Severity: 9.8 CRITICAL
  • Impacted Products: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress
  • Description: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-7340
  • PoC: https://github.com/Nxploited/CVE-2025-7340

CVE-2025-6934

  • Severity: 9.8 CRITICAL
  • Impacted Products: The Opal Estate Pro – Property Management and Submission plugin for WordPress
  • Description: The Opal Estate Pro – Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions up to, and including, 1.7.5. This is due to a lack of role restriction during registration in the ‘on-regiser-user’ function. This makes it possible for unauthenticated attackers to arbitrarily choose the role, including the Administrator role, assigned when registering.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-6934
  • PoC: https://github.com/Nxploited/CVE-2025-6934

CVE-2025-53890

  • Severity: 9.8 CRITICAL
  • Impacted Products: pyload < 0.5.0b3.dev89
  • Description: pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-53890
  • PoC: https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53

CVE-2025-49029

  • Severity: 9.1 CRITICAL
  • Impacted Products: Custom Login And Signup Widget: from n/a through 1.0
  • Description: Improper Control of Generation of Code (‘Code Injection’) vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-49029
  • PoC: https://github.com/Nxploited/CVE-2025-49029/

CVE-2025-48384

  • Severity: 8 HIGH
  • Impacted Products: git prior to v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1
  • Description: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-48384
  • PoC: https://github.com/nguyentranbaotran/cve-2025-48384-poc/

CVE-2025-45814

CVE-2025-45814

  • Severity: 10.0 CRITICAL
  • Impacted Products: Cisco ISE and Cisco ISE-PIC
  • Description: A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-45814
  • PoC: https://github.com/abrewer251/CVE-2025-20281-2-Cisco-ISE-RCE

CVE-2025-25257

  • Severity: 9.8 CRITICAL
  • Impacted Products: Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10
  • Description: An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-25257
  • PoC: https://github.com/watchtowrlabs/watchTowr-vs-FortiWeb-CVE-2025-25257

References

This list was scraped from the quite amazing and highly recommended newsletters below:

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.