PoC Week 2025-07-28
The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.
For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.
CVE-2025-53770
- Severity: 9.8 CRITICAL
- Impacted Products: Hosted Sharepoint Server
- Description: Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-53770
- PoC: https://github.com/B1ack4sh/Blackash-CVE-2025-53770/
CVE-2025-25257
- Severity: 9.8 CRITICAL
- Impacted Products: Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10
- Description: An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-25257
- PoC: https://github.com/watchtowrlabs/watchTowr-vs-FortiWeb-CVE-2025-25257
CVE-2025-23266
- Severity: 8.2 HIGH
- Impacted Products: NVIDIA Container Toolkit
- Description: This vulnerability allows local attackers to escalate privileges on affected installations of NVIDIA Container Toolkit. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of hooks. The issue results from the lack of restrictions on environment variables prior to spawning a hook process. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the host system.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-23266
- PoC: https://github.com/jpts/cve-2025-23266-poc/
CVE-2024-3400
- Severity: 10 CRITICAL
- Impacted Products: Palo Alto Networks PAN-OS, specifically versions 10.2.0, 11.0.0, and 11.1.0
- Description: The vulnerability is a command injection flaw in the GlobalProtect feature of PAN-OS, allowing an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Notably, Cloud NGFW, Panorama appliances, and Prisma Access are not affected.
- Remediation: Users are advised to apply mitigations as per vendor instructions when available. For vulnerable versions, enable Threat Prevention IDs or disable device telemetry until patches are issued.
- More Info: CVE-2024-3400 on NVD
- PoC: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
CVE-2025-7340
- Severity: 9.8 CRITICAL
- Impacted Products: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress
- Description: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-7340
- PoC: https://github.com/Nxploited/CVE-2025-7340
CVE-2025-5777
- Severity: 7.5 HIGH
- Impacted Products: NetScaler
- Description: Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-5777
- PoC: https://github.com/orange0Mint/CitrixBleed-2-CVE-2025-5777
CVE-2025-54309
- Severity: 9.8 CRITICAL
- Impacted Products: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23
- Description: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-54309
- PoC: https://github.com/issamjr/CVE-2025-54309-EXPLOIT
CVE-2025-54122
- Severity: 10.0 CRITICAL
- Impacted Products: Manager-io/Manager < 25.7.21.2525
- Description: Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desktop and Server edition versions up to and including 25.7.18.2519. This vulnerability allows an unauthenticated attacker to bypass network isolation and access restrictions, potentially enabling access to internal services, cloud metadata endpoints, and exfiltration of sensitive data from isolated network segments. This vulnerability is fixed in version 25.7.21.2525.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-54122
- PoC: https://github.com/Manager-io/Manager/security/advisories/GHSA-347w-cgwh-m895
CVE-2025-53890
- Severity: 9.8 CRITICAL
- Impacted Products: pyload < 0.5.0b3.dev89
- Description: pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-53890
- PoC: https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53
CVE-2025-52688
- Severity: 9.8 CRITICAL
- Impacted Products: Alcatel AP13161 - Enterprise WIFI access point
- Description: Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-52688
- PoC: https://github.com/joelczk/CVE-2025-52688/
CVE-2025-52376
- Severity: 10.0 CRITICAL
- Impacted Products: Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below
- Description: An authentication bypass vulnerability in the /web/um-open-telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server is then accessible with hard-coded credentials, allowing attackers to gain administrative shell access and execute arbitrary commands on the device.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-52376
- PoC: https://github.com/Vagebondcur/nexxt-solutions-NCM-X1800-exploits/tree/main/CVE-2025-52376
CVE-2025-36846
- Severity: 9.8 CRITICAL
- Impacted Products: Eveo URVE Web Manager 27.02.2025
- Description: An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /_internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. The endpoint takes an input parameter that is passed directly into the shell_exec() function of PHP. NOTE: this can be chained with CVE-2025-36845.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-36846
- PoC: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-034.txt
CVE-2025-20281
- Severity: 10.0 CRITICAL
- Impacted Products: Cisco ISE and Cisco ISE-PIC
- Description: A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-20281
- PoC: https://github.com/abrewer251/CVE-2025-20281-2-Cisco-ISE-RCE
References
This list was scraped from the quite amazing and highly recommended newsletters below:
Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.